Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!uunet!in3.uu.net!199.94.215.18!news.bbnplanet.com!cam-news-hub1.bbnplanet.com!howland.erols.net!agate!theos.com!deraadt From: deraadt@theos.com (Theo de Raadt) Newsgroups: comp.unix.bsd.bsdi.misc Subject: Re: Security hole Date: 21 Jan 1997 18:07:18 GMT Organization: Theo Ports Kernels For Fun And Profit Lines: 38 Message-ID: <DERAADT.97Jan21110718@zeus.theos.com> References: <32DEEC3F.E23@interlog.com> <DERAADT.97Jan18154120@zeus.theos.com> <5bstum$84v@duke.telepac.pt> <5bue0s$psh@tofu.alt.net> <E4AAyu.GD2@news.interactive.net> <5c0glm$khi@tofu.alt.net> <E4Boww.69M@news.interactive.net> <DERAADT.97Jan20184315@zeus.theos.com> <E4D8wo.22E@news.interactive.net> NNTP-Posting-Host: zeus.theos.com In-reply-to: ritz@onyx.interactive.net's message of Tue, 21 Jan 1997 16:10:00 GMT Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:5650 In article <E4D8wo.22E@news.interactive.net> ritz@onyx.interactive.net (Chris Mauritz) writes: :) Well, It's well known that I don't think this to be enough. BSD is :) being reactive to the bugs, just like all the other commercial :) vendors. They are not fixing a problem until the exploit becomes :) well-known. Well, it's a bit difficult to fix an unknown bug. Actually, it's very easy to find exploitable holes once you know what you are looking for. It's also very easy to fix most of them. That's what I've been working on for the last 6 months, and trust me.. it's very easy. :) Even if you do this, I'd say the window is 3 weeks or so; from when :) the bug becomes well known till when a fix is available. But during :) the period of not-well-known you are vulnerable as well. Just to pick :) an example, with the recent talkd exploit oh, the problem was known :) about about 6 months. Four weeks ago you couldn't just see a news :) posting containing the exploit code, you had to actually go onto irc :) and ask around... I believe we were the first to report the ntalkd bug to BSDI and the patch was available within 36 hours. I don't find that terribly unreasonable. This is the commit message from the OpenBSD source tree for when we fixed this bug. Note the date. revision 1.4 date: 1996/07/17 23:41:10; author: deraadt; state: Exp; lines: +10 -8 buffer overflow from dholland@hcs.HARVARD.EDU; could do with some cleanup? ---------------------------- I stand by my words that BSDI is simply reacting to security problems. -- This space not left unintentionally unblank. deraadt@theos.com www.OpenBSD.org -- We're fixing security problems so you can sleep at night.