Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Another Serious Security Hole in PuTTY, Fixed

timothy posted more than 9 years ago | from the fixation-nation dept.

Security 30

Markaci writes "You may recall recently upgrading PuTTY. There is a new version, released 2004-10-26, which fixes a very similar security hole. The bug can allow servers that you think you can trust to execute code on the PuTTY client, even before you verify the hosts key while connecting using SSH2. You can be attacked before you know that you have connected to the wrong machine. Upgrade to version 0.56 now."

Sorry! There are no comments related to the filter you selected.

um.. how does it work? (1)

nile_list (812696) | more than 9 years ago | (#10636697)

Are there any details on how this exploit actually works? There's no FA to read this time :(

Putty (-1, Offtopic)

shaitand (626655) | more than 9 years ago | (#10636810)

ok, need gmail invite shaitand@spymac.com

Amazing (1, Insightful)

Pan T. Hose (707794) | more than 9 years ago | (#10636824)

This is really amazing how fast bugfixing work in free software and open source. "Warning, there is a hole, well actually there was a hole." I wonder how would that process work in case of proprietary software. We'll probably have to wait a year for another service pack. In any case, there is only one thing I can say here: kudos for PuTTY security team for fixing your holes so quickly.

Re:Amazing (1)

avalys (221114) | more than 9 years ago | (#10636840)

This amazingly off-topic, but I feel like asking - what the hell do you do all day? It seems like every time I read the comments for a story, I see your name somewhere in the first five responses.

Re:Amazing (1, Informative)

Anonymous Coward | more than 9 years ago | (#10637183)

Posts to slashdot and studies [slashdot.org] the moderation of his comments in GREAT DETAIL. I only notcied this as I was checking his post history to see if he was a troll before I took the bait and replied to a comment of his in a different story. I did not bite.

Re:Amazing (4, Funny)

kayen_telva (676872) | more than 9 years ago | (#10637443)

he has a PHD in first posts

Re:Amazing (4, Interesting)

Westley (99238) | more than 9 years ago | (#10636910)

While in general I agree that bugfixing tends to be fast in free software, I think PuTTY is a particularly exceptional case.

This is because Simon (and the rest of the PuTTY team, I suspect) basically won't sleep knowing there's a significant security flaw.

Considering this started off as just a way of getting a reasonable terminal emulator for Windows for personal use, I'm always amazed at how wide-spread PuTTY has become. Then again, it's a cracking piece of software.

I used to use the fact that Tim Curry played Monopoly with my dad when they were kids as my kudos-by-proxy. Now it's being mates with Simon :)

Re:Amazing (0)

Anonymous Coward | more than 9 years ago | (#10637898)

Do you mean "mates" in the traditional British MSM way?

Re:Amazing (1, Funny)

Anonymous Coward | more than 9 years ago | (#10639114)

More likely the Dr. Frankenfurter / Rocky Horror Picture Show way.

Re:Amazing (3, Interesting)

QuantumG (50515) | more than 9 years ago | (#10637953)

Can ya get him to accept my patch then? I've only emailed it to him about 5 times. Nothin' like gettin' snubbed by someone you're doing free work for.

Re:Amazing (0)

Anonymous Coward | more than 9 years ago | (#10639329)

He might be more inclined to respond to your emails if you didn't use "Get Cheap Viagra Online Now!" as your subject line.

Re:Amazing (1)

Westley (99238) | more than 9 years ago | (#10639513)

What does it do? Bear in mind that the PuTTY team gets a *huge* amount of mail - it often takes them a long time to work through it.

Re:Amazing (1)

QuantumG (50515) | more than 9 years ago | (#10639569)

It's a UI patch. If they had a proper patch submission process, a mailing list, or some delegation of work, they'd get a lot more done.

Re:Amazing (4, Funny)

Simon Tatham (66941) | more than 9 years ago | (#10640186)

Sorry about that. I've found your patch in my mail archives (although I only see two copies of it, not five!). As far as I can tell, both times it turned up when I had so much mail to read that I simply didn't have time to read it all.

Delegation of work would be nice, but it's very difficult to find anyone competent to vet patches the same way we do, with full appreciation of issues such as portability. At the end of the day, the core PuTTY team need to personally check anything that goes into the code base, to prevent obvious security holes (although this isn't a great time to mention that, I know :-) and to ensure the long-term health and maintainability of the code. Even the very best patches I've received still need work before they're usable.

Your patches look mostly sensible. I'll respond in detail by email.

Re:Amazing (2, Insightful)

ctr2sprt (574731) | more than 9 years ago | (#10637519)

While OSS has an advantage that bugs get fixed faster with more people available to work on them, it also has the disadvantage that the bugs are apparent to anyone who takes the time to look. So instead of having to pore through a million lines of assembler code and stack traces, you just look at the parts of the code where a buffer overflow might show up.

The moral of the story: it may take MS a month to roll out a fix, but it may also take a month longer for the bug to be discovered by unscrupulous individuals. MS, meanwhile, has access to the source, so it increases their chances of finding it first.

I'm not saying the closed-source approach is better, just that by the nature of the beast, OSS developers have to be more on the ball when it comes to releasing fixes quickly. That might explain why they usually are.

Re:Amazing (1)

T-Ranger (10520) | more than 9 years ago | (#10638203)

I'm not at all versed in the art of scanning through binary code looking for holes... Or even through code for that matter. But look at games, for example. How long does it take an experience cracker to build a no-CD crack for a game? They dont call it zero day warez for nothing. I know its not a direct analogy, crackers would not necessaraly have access to the binaries of the target system.

But the concern, the real concern, is not from a script kiddie using a year old exploit and turning your box into a porn site. The real concern is from someone finding a new exploit, breaking into a important system, undetected, and steal or alter data. The nature of the developement process means that mistakes that could be security problems dont become real world exploits. And those that do work their way into production code will eventuall be vetted out by a high school student or the OpenBSD team, and fixed publicly. Exploits that work their way into closed source code will stay their untill not when an exploit is found, but untill when an exploit is found by a good guy and reported. Or to put things another way, the security issues with OSS approches zero the longer it is used. Closed source software, the issues approch some constant above zero.

Re:Amazing (2, Interesting)

Anonymous Coward | more than 9 years ago | (#10638681)

How long does it take an experience cracker to build a no-CD crack for a game? They dont call it zero day warez for nothing.
For the most part, copy protection is the same, so they only have to crack it once and it will work mostly-unmodified on many different games. Also, they don't need to exploit the copy protection, they just strip it out entirely so it's never even used. They don't exploit holes, they exploit the ability of the user to replace the game .exe with a new one.

But the concern, the real concern, is not from a script kiddie using a year old exploit and turning your box into a porn site. The real concern is from someone finding a new exploit, breaking into a important system, undetected, and steal or alter data.
You're both right and wrong. It's "security by volume," in a way. You have to worry more about script kiddies because there are a lot more of them and the scripts are designed to trawl a huge number of machines all at once.

The highly-talented individuals who write the scripts the kiddies use are more dangerous, per-person, but there are also far fewer of them. So while they can do more damage individually, as a group they actually do less... though usually their type of damage is far more severe.

Your analysis of the disadvantages of closed-source software is also a little pessimistic. Assuming no other security measures in place, you'd be right. But a good, layered security approach will make a hacker's job much harder since it increases the number of vulnerabilities he needs to find. With a decent IDS running on the network and hidden from the intruder you should be able to replay his attack and report it to MS, who can then look at the source and figure out how to fix it. While all this is going on, only that one hacker knows how to duplicate his efforts. If he releases his exploit into the wild MS can quickly understand exactly how it works and release a patch in a matter of hours (if they choose to); if he doesn't, then the danger is low because he can only attack a certain number of computers at once.

It's a definite balancing act, and if you're a big or important site like amazon.com or a bank, you should probably worry more about the individuals than the kiddies. But 99.995% of the Internet should be more concerned about the ignorant masses who can't do anything but run scripts on their DSL subnets.

Re:Amazing (3, Insightful)

cgenman (325138) | more than 9 years ago | (#10639392)

How long does it take an experience cracker to build a no-CD crack for a game?

Macrovision once estimated the time for an average game at 5 days, and touted that their software pushed that number back an additional week. Actual merits of Safe Disk aside, In the industry one assumes a one to two week window before pirated copies start arriving, unless your game is particularly popular and it gets cracked on release day or even before release.

Having access to the source doesn't really make it any easier for a hacker to deconstruct the workings of the system. Binary Executables are uncompiled all of the time for compatibility purposes, it's really not much of an impediment.

Re:Amazing (0)

Anonymous Coward | more than 9 years ago | (#10639408)

will stay their untill
but untill when

"there", "until".

A silly explanation (4, Funny)

BortQ (468164) | more than 9 years ago | (#10636934)

The exploit works like this:

When putty goes out over the web, if an attacker can find it then they can press a piece of newsprint against it. Putty will come away from this with some arbitrary instructions left inside. Scary.

The solution is to always keep your putty inside it's protective egg when in unknown territory.

Re:A silly explanation (0)

Anonymous Coward | more than 9 years ago | (#10639414)

inside it's protective egg

"its".

Umm newspost? (1)

LiENUS (207736) | more than 9 years ago | (#10637417)

While the file is on the download page http://www.chiark.greenend.org.uk/~sgtatham/putty/ download.html [greenend.org.uk] there is no notice of the security flaw... anyone know anything about this?

Re:Umm newspost? (1)

LiENUS (207736) | more than 9 years ago | (#10637433)

Nevermind they JUST made a post on the site detailing it.

Latest version (-1, Troll)

fulldecent (598482) | more than 9 years ago | (#10637442)

I linked a subdomain (http://putty.phor.net [phor.net] ) to the latest binary.

So when I'm on Windows box and I need a SSH client, I never need to download or worry about versions. I just type it in and hit run.

Re:Latest version (2, Informative)

irc.goatse.cx troll (593289) | more than 9 years ago | (#10637875)

Thats nice if you want a trojaned ssh client. The rest of use just google I'm feeling lucky "putty.exe".

If you don't believe me that its trojaned, scan it in any current antivirus software -- It submits your password via some custom protocol via the same port RealMedia uses. Nice try, script kiddie.

Slashdot and Security??? (0, Troll)

dsk052 (230739) | more than 9 years ago | (#10637657)

Interesting how Slashdot takes computer security so seriously, yet when it comes to US national security they are so blaze.

I love PuTTY (1)

tod_miller (792541) | more than 9 years ago | (#10639584)

I have used it for about 6 years, I always grab a copy and need it for something other, even for mudding on Discworld this one time...

I don't think I ever visited the official site though... :-) Thanks developer type guys!

Front page, not IT section? (1)

Hobart (32767) | more than 9 years ago | (#10649654)

Timothy - for an app this widely deployed, this might [for the future] merit the frontpage instead of the IT section?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?