On Tue, 25 Jun 2002, kevin lyda wrote:
> another interpretation is this:
>> if the openssh team releases a patch today, the crackers will know the
> vulnerability immediately. if the openssh team releases privsep across
> the ports (which appears to also stop the attack), then the crackers
> are no wiser.
>> the "vulnerability clock" starts ticking the moment a patch comes out
> that directly addresses the problem. privsep will protect systems,
> but not directly give away the vulnerability.
the vulnerability clock started ticking as soon as the problem was
introduced in public code!
The problem may have been there for months or longer, some black hats
may have known of it way before ISS / Theo.
it /seems/ theo has chosen to dictate security policy to vendors
rather than work with vendors to have an actual fix ready for the
publish date. Which means that the only way to have a fix installed
on or before Theo's publish date is to install privsep (which has
only been proven on OpenBSD and doesnt yet work nicely with pam,
So it seems there's guaranteed to be a window of opportunity for a
remote ssh exploit on all non-OpenBSD systems.
Paul Jakma paul at clubi.iepaul at jakma.org Key ID: 64A2FF6A
If you can count your money, you don't have a billion dollars.
-- J. Paul Getty
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!