Contributed by jose on from the window-of-vulnerability dept.
On Friday, I saw a message on Bugtraq from the people at MITRE who run the CVE service stating that only 45% of vulnerabilities have been acknowledged by vendors . That's a pretty low number, but when you think about the number of acknowledgements you see vs. the number of vulnerabilities announced, that starts to seem realistic.
The "window of vulnerability" has been addressed by William Arbaugh in a pair of papers here and here , which definitely make for some good reading. Pair those up with an excellent 2002 Lisa paper from the guys at Wirex on about patching timelines . Also, an interesting paper from FIRST 1999 discusses patching methodlogies to keep on top of security as well as reliability.
Bringing it all back home, the usage graphs from OpenSSH show a clear response to vulnerabilities and new versions coming out, something which would be interesting to mine for in other services (BIND, SSL). As for OpenSSL vulnerabilities, Ben Laurie's lamentations on the subject are worth reading, too.
(Comments are closed)
By Anonymous Coward () on
Comments
By Anonymous () on
Comments
By Anonymous Coward () on
claiming something that mitigates an attack as
a real fix identifies an misunderstanding of
the situation. it does not fix the vulnerability,
thus is not a fix.
you think chroot can't be bypassed?
tell me, if someone can execute arbitary code as
the reduced privilege user "sshd", can they
own you? yes. kernel vulnerabilities. see
select(2) or setitimer(2) recently. reduced
privileges and a chroot jail won't help you here.
so given there was a kernel vulnerability, and
given that it could have been exploited even with
privilege seperation, do you still think
it was a "REAL FIX"?
Comments
By Anonymous Coward () on
easy to tell people that there is a problem, if you cannot even remotely help to find a solution.
Comments
By Anonymous Coward () on
they would have to find the problem themselves.
i have no quibble with openssh over how they handled it, but claiming they released a fix in the form of privsep, is a fallacy.
it is their call. they lost users and (in some people's eyes) credibility not me. if you depend on a vendor you don't trust, you should find someone else.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
It was not entirely the OpenSSH team's fault, and I think they handled it reasonably (they were correct in that privilege separation mitigated the attack). They were scrambling to make that very platform-specific feature work on platforms (Solaris) where the vendors weren't doing a damn thing to help them.
By the time the actual week rolled around (the time when ISS claimed at first that they were going to release the advisory), the OpenSSH guys had released all the details and the "real fix".
What more do you want? They don't even get paid to do this. There are commercial vendors that wouldn't have even responded at all in a week, much less responded immediately with a workaround and a new version within a week.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By djm () on
Bullshit. 3.4 just fixed the bug and included a few more checks.
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
So you are really unfaire with the open(bsd/ssh) people saying... the previous version that were "supposedly safe".
They do what they can do have the most secure and safer system they can imagine/create. But in all case, that's for sure, someone will find a crack and enter.
The important thing in this matter is not if the code is bullsh*t or was bullsh*t or if the fix is bullsh*t... or I don't know what else.
The most important thing is that they recognize the problem and they do what they can to close the issue, even if it is a temporary one. And for that I must aknowledge that the open(bsd/ssh) team is really good and remarkable.
my 2 cents.
By Anonymous Coward () on
ssh -pt (post troll)
ssh -m=/. (mentality reduced to that of a slashotter)
ssh -imfw (I'm a fucking whiner)
ssh -onrh (Offer no real help).
ssh -mmuetiamaddgasapw (mod me up even though I'm a moron and deadly doesn't give a shit about post worthiness)
ssh -dsrisfobiat (deadly should really implement some form of blocking idiots such as this)
My favourite new flag is probably ssh -;-P
By Bruce () on
What they did was reasonable, under the circumstances. Because they were looking at a major SSH vulnerability, they wanted to give people a chance to protect their networks without immediately giving crackers an exploit toolkit. Nobody forced you to upgrade. You could even take this warning period as a chance to turn off SSH service on machines where this was an option, or at least to apply firewall rules reducing who could see your SSH port. Personally, I was very happy to have this opportunity to avoid what was about to become a widely known remote root hole.
You, on the other hand, could just wait the two or three days until they released a specific patch and description of the problem. So what exactly is your complaint? You didn't want people to have a couple days to react to the vulnerability without crackers knowing exactly how to exploit hundreds of thousands of machines on the net?
Grow up.
Comments
By Anonymous Coward () on
That's where you're wrong.
Comments
By Anonymous Coward () on
Nobody will force someone to upgrade if they don't want to upgrade. I have a machine and it is still with bsd 2.7 and it works perfectly, and my ssh is not open to the internet.
Next time I'll upgrade I'll surely take the last version of openbsd and automatically upgrade to the last version.
Until then... NOBODY can force me to upgrade IF I DON'T WANT TO. I know the risks and I assume it, because I have nothing to loose in my small network where is located my bsd server.
I have other boxs, and they have been fixed with the fix for openbsd.
So Mr. I know everything... grow up a little bit before telling so stupid things and crying. Give us solution if you are so good...
By Lars Hansson () lars@unet.net.ph on mailto:lars@unet.net.ph
By RC () on
The only thing I thought they did wrong was by NOT telling people that disabling S/Key (or compiling without BSDAuth) would have stopped the exploit completely (then, few would have rushed to upgrade). However, I can understand them not wanting to tell crackers precisely where the problem existed...
All and all, it was a good handling of the problem.
By Anonymous Coward () on
By Anonymous Coward () on