Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sun Security Patch Introduces Security Hole

Posted by CowboyNeal on from the patches-for-patches dept.

Rich0 writes "Sun is announcing that their 'Security Hardening Package' for their Cobalt RaQ 4 Linux servers allows remote users to execute arbitrary code. Ironically, the solution is to remove the package, potentially removing protection from other compromises. There's a CERT advisory, as well as an article posted on Extremetech." Yikes, one would hope there's a forthcoming patch in the works.

6 of 265 comments (clear)

  1. Big Honking Deal! by svvampy · · Score: 4, Insightful

    Bugs happen every day.

    Patches are generated in response to those bugs

    Patches sometimes generate further bugs

    Sometimes these bugs involve security. D'oh

    profit?

    1. Re:Big Honking Deal! by Anonvmous+Coward · · Score: 3, Insightful

      "Bugs happen every day.

      Patches are generated in response to those bugs

      Patches sometimes generate further bugs

      Sometimes these bugs involve security. D'oh"

      Too bad every time MS does it, Slashdot has a 'everybody who uses MS is stupid!' field day.

  2. Re:Yet Another Reason No One Takes Linux Seriously by haggar · · Score: 4, Insightful

    It was a patch for Linux. So, as you see, Linux is gaining momentum, after all (according to your logic)?!

    --
    Sigged!
  3. Re:Wow! by mentin · · Score: 4, Insightful
    Microsoft is the only company I've heard of who has recommended not to trust software signed by them.

    What Microsoft is saying is simply "some time ago we signed and released a piece of code. this code has bugs. don't download it. yes, it is signed but so what? don't download it anyway."

    Say I have a 3-year old PGP distribution signed by PGP Corp. It is signed. But it has known bugs (discovered long after signing). Should I install it? No. The fact that it is signed does not mean anything beyond simple fact that it was produced by particular person/corporation.

    By the way, do you know any other vendor who has been signing their software as long as MS?

    I remember Apple updates simpy downloaded unsigned code from their web server, without verifying any signature at all. So a man-in-the-middle could inject trojan.

    Linux ISO-files usually are "protected" by MD5 hash. So if you sit in the middle and can modify both ISO file and MD5 hash, you can do whatever you want with this distribution.

    --
    MSDOS: 20+ years without remote hole in the default install
  4. Patch Testing by anonymous+cupboard · · Score: 4, Insightful
    During a release test, you run through everything so all possible interactions are checked. This takes some time. A patch is something that gets rushed out to cure a problem in the field. It gets checked to see whether it fixes the bug but there is usually insufficient time to run it through a complete regression test. End result is that patches may introduce bugs.

    Another issue is that sometimes to fix a bug, a newer version of a code block may be used (like taking a Linux 2.5.x solution back to fix a bug in 2.4.x). This code block may have unwanted functionality (because it has been inadequately tested).

    Now all the above goes for commercial software, where there is a formal testing and 'fixit' budget. It therefore goes for free software too. Although individual teams are well motivated to sort out their software, it is more difficult to organise proper testing across teams.

    In this case, we are lucky as a single team are working on this and it was sorted out quickly. Somehow some closed source developers don't seem to be so good about quick releases of their patches, and when they do, they still contain as many bugs (IE patches anyone?).

  5. Re:Wow! by Black+Copter+Control · · Score: 5, Insightful
    The problem isn't just that you can't trust a specicificpiece of bad software. It's that -- because of the rather cockeyed way that microsoft did their DLL 'support' -- there's no way that you can just pull trust for that piece of code, or otherwise prevent it from being downloaded without removing trust for everything made by microsoft.. This leaves users in the rather wierd position of either not being able to download *any* MS active-X control (for fear that it could be the bad one) or leave themselves open to the possibility of somebody trojaning in the bad 'trusted' control and then owning your machine up kazoo..

    The problem with this Cobolt 'security' release is one of a flawed implementation. Microsoft's bug was one of tragically bad design. The latter is much harder to work around.

    --
    OS Software is like love: The best way to make it grow is to give it away.