Slashdot Mirror
CUPS Security Vulnerabilities
Buck Naked writes "A slew of vulnerabilities was discovered in CUPS, from the advisory: 'Exploitation of multiple CUPS vulnerabilities allow local and remote attackers in the worst of the scenarios to gain root privileges...' The full advisory can be found at iDEFENSE."
Common sense applies. The outside world doesn't need access to your printers, so firewall it and remember to patch it once in a while and you might be safe...
While many might chime in here saying this story would be better suited on security sites, I for one just heard about it now. I also plugged about 3 vulnerabilities because of it.
CUPS, as far as I'm concerned is the killer app for printing in the *nix world. And just like another poster mentioned, why on earth would someone not be firewalling their printer? So once again it comes down to the competency of the system administrator. As for the MS trolls out there who will use this as an excuse to pan OSS, I'd like to point out that at least with CUPS and projects like it we won't have to wait for the maintainers to admit there's a problem, and then wait a month or more for a fix. This is news only in that security vulnerabilities need to be dissemenated as widely as possible
If thou see a fair woman pay court to her, for thus thou wilt obtain love
> How many people might've come to know about them in that time?
I would estimate that no more that 4 to 6 people had complete access to all of the problems before they were made public.
To the best of my knowlege none of these problems were ever exploited in the wild. (And if they were, as long as people patch their systems, they won't be.)
I found these problems by auditing the source, and not because of any rumors of active exploitation.
Open source software is sometimes considered to be more secure than closed source because you can see the source code.... the same reason other people say that it is less secure.
For being able to see the source code to make any difference at all, someone actually has to look at it, which doesn't appear to happen as often as either side claim does.
All it takes for a piece of software to be insecure is one exploitable problem, whether it is open or closed source.
What helps keep people secure is publicity that there is something wrong.
It's no use there being patches made available if nobody knows there was a problem... this article has probably done more for getting peoples boxes patched than all the security lists combined.
Anonymous Coward complained that it was a month between the holes being discovered and the patch being released... check out the problem's I found with the posterboy of open source in business, Netscape/Mozilla... 4 months to get some of them fixed... and when they released a buggy version and patched it 2 days later (or something like that) people actually CONGRATULATED THEM!!! Publicity over the bugs in Mozilla/Netscape was minimal to say the least...
Look at Code Red. Publicity caused that to be much less of a problem than it could've been.
The more exploits the 'bad guys' have, the more likely those exploits will be patched.
Having an exploit for a vulnerability that is patched on 99% of boxes is pretty much useless... distributing an exploit with your advisory isn't 'a neccessary evil', it's a bloody good idea.
A complete working script kiddie friendly exploit for every hole that is found should be given away, free of charge. Let the holes that people don't patch get exploited. If you know that within a day of a security advisory being released there will be an easy to use way for anyone in the world to use it against you, are you going to let your guard down?
-- zen-parse