Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious Security Hole In PuTTY

Posted by timothy on from the and-now-it's-fixed dept.

Tim 'gk^' Nilimaa writes "A serious security hole has been found in PuTY, version 0.54 and before. Simon Tatham and his fellows released PuTTY 0.55 on 2004-08-03 which solves this bug. The bug may allow servers to use PuTTY to act as a machine that you trust, even beforce you verify the hosts key while connecting using SSH2. An attack could be a fact before you know that you have connected to the wrong machine. I (and they) say: upgrade to PuTTY 0.55 - now."

4 of 72 comments (clear)

  1. Clarification by SpaceLifeForm · · Score: 5, Informative
    It's the server that you think you can trust that can execute code on your Putty client.

    The writeup is not clear:

    The bug may allow servers to use PuTTY to act as a machine that you trust,...

    Well, of course you trust your client machine.

    --
    You are being MICROattacked, from various angles, in a SOFT manner.
  2. Re:PuTTY tip by Anonymous Coward · · Score: 5, Informative

    Open Putty, Category -> Connection -> SSH -> Tunnels.

    In the port forwarding section, add new forwarded port.

    Pick a source port. Any port will work, but 1080 is the standard for socks 5 proxies. Leave Destination blank, and choose Dynamic (instead of Local or Remote). Click the add button, and you should see D1080 listed in the box.

    Okay, now you can save your session and start it.

    In applications you can go into their connection settings section and set localhost, port 1080 as the SOCKS host. The application will then tunnel everything through your SSH connection.

  3. Seriously though by GigsVT · · Score: 5, Informative

    Does anyone really do anything other than just blindly hit "yes" when presented with a new host identification string?

    Even with strict checking on, most of us are used to blowing records out of known hosts files when they don't match, due to system upgrades causing the old records to be invalid all the time.

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  4. Re:Nice response time by Simon+Tatham · · Score: 4, Informative

    That's true, we didn't mention that anywhere, did we?

    We were notified of the problem six days before the 0.55 release went out. I'd have liked to get it turned around faster than that, but it took me a few days of bouncing email back and forth to get a coherent description of one of the two problems (the less important one, as it turned out).

    But of course you've only got my word for that...