Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious Security Hole In PuTTY

Posted by timothy on from the and-now-it's-fixed dept.

Tim 'gk^' Nilimaa writes "A serious security hole has been found in PuTY, version 0.54 and before. Simon Tatham and his fellows released PuTTY 0.55 on 2004-08-03 which solves this bug. The bug may allow servers to use PuTTY to act as a machine that you trust, even beforce you verify the hosts key while connecting using SSH2. An attack could be a fact before you know that you have connected to the wrong machine. I (and they) say: upgrade to PuTTY 0.55 - now."

5 of 72 comments (clear)

  1. PuTTY tip by Anonymous Coward · · Score: 1, Interesting

    Not really related to this particular story, but related to recent versions of PuTTY. If using SSH, you can set up dynamic port forwarding which actually works as a SOCKS5 proxy which can be used by many applications. This means secure email, secure web browsing, secure whatever, wherever you are as long as you have access to SSH.

  2. What I want to know... by Anonymous Coward · · Score: 2, Interesting

    Why is it that PuTTY is a production quality app and it's version number is still < 1? Shouldn't we be at a 1.x release by now?

  3. Why not front page? by gmhowell · · Score: 4, Interesting

    Why isn't this on the front page? Oh, right, let's bury news of problems with cool programs, but a minor issue (solved six months ago) in a Microsoft program gets front page mission.

    Keep up the good work Rob. Hey, where are the 503's today? It hardly seems like the dot without them.

    Yeah, yeah, -1, flamebait -1 troll. Who gives a crap? Not Rob or OSDTNVHPR

    --
    Jesus was all right but his disciples were thick and ordinary. -John Lennon
  4. Re:Nice response time by Richard_at_work · · Score: 3, Interesting

    so its always assuring that the devs have a quick turn around on fixes (especially with free software), that kind of dedication is appreciated

    Not meaning to be nasty to the putty team, but theres no verifiable date of discovery of this bug, and the last release was 2003. This bug could have been known to the team 6 months ago, and only fixed now :).

  5. Re:Seriously though by gregfortune · · Score: 2, Interesting

    What I usually do if I don't know for sure is feed the host a batch of incorrect passwords... If one of them lets me in, the host is certainly a fake. If my fake passwords fail, then I send the correct password and if it *doesn't* let me in, I know my password has been comprimised. Not perfect, but admins killing off their keys when they rebuild a machine is pretty lame too.