Re: Sendmail hole
Bob Manson (manson@magnus.acs.ohio-state.edu)
Mon, 14 Mar 1994 23:16:31 -0500
>Wrong! You start broadcasting news about security holes, some unscrupulous
>person(s) will abuse the security hole.
Strange, some of them do it anyway.
> It is up to agencies like CERT and
>the manufacturers of the software to produce fixed versions of the software.
Yeah, right. Some of us are quite capable of fixing security holes
ourselves, and waiting for CERT to do it isn't always such a hot idea.
The crackers seem to know about the holes before CERT bothers to
release the information...
The biggest problem I see with CERT is that they tend to post these
messages about how "security hole X exists, here's a fix". They never
quite describe or explain what the security hole is, so if you don't
happen to be running the version of software that CERT provides a fix
for, you're out of luck. It's especially annoying when they tell you
to get a patch from your vendor and you're not running vendor-supplied
software, or you're compiling from source, or you're running Mutantix
put together by a company that went out of business 3 years ago, or
you're on version 3.1 of an OS that's up to 15.3 now...
>was broken into it should not be discussed on this type of list until it
>has been determined that software susceptible to the security hole has
>been patched or replaced.
Au contraire, if people would be open about the holes, people other
than CERT would supply patches, and probably in a more timely fashion.
(I know that I would. I can't speak for anyone else.) Plus, people
writing new software (gee, there's a thought :-) would be able to
avoid these sorts of problems in the future.
Why is it that I find out about the holes from folks on the net months
before "official organizations" get around to announcing them? For
example, has anyone discussed the problems with the source routing
option on TCP sockets? Or improperly doing reverse-IP lookups? Or
*gasp* NFS/RPC problems and fixes? I don't think so either.
Bob