Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Serious Security Hole in PuTTY, Fixed

Posted by timothy on from the fixation-nation dept.

Markaci writes "You may recall recently upgrading PuTTY. There is a new version, released 2004-10-26, which fixes a very similar security hole. The bug can allow servers that you think you can trust to execute code on the PuTTY client, even before you verify the hosts key while connecting using SSH2. You can be attacked before you know that you have connected to the wrong machine. Upgrade to version 0.56 now."

3 of 30 comments (clear)

  1. Amazing by Pan+T.+Hose · · Score: 1, Insightful

    This is really amazing how fast bugfixing work in free software and open source. "Warning, there is a hole, well actually there was a hole." I wonder how would that process work in case of proprietary software. We'll probably have to wait a year for another service pack. In any case, there is only one thing I can say here: kudos for PuTTY security team for fixing your holes so quickly.

    --
    Sincerely,
    Pan Tarhei Hosé, PhD.
    "Homo sum et cogito ergo odi profanum vulgus et libido."
    1. Re:Amazing by ctr2sprt · · Score: 2, Insightful
      While OSS has an advantage that bugs get fixed faster with more people available to work on them, it also has the disadvantage that the bugs are apparent to anyone who takes the time to look. So instead of having to pore through a million lines of assembler code and stack traces, you just look at the parts of the code where a buffer overflow might show up.

      The moral of the story: it may take MS a month to roll out a fix, but it may also take a month longer for the bug to be discovered by unscrupulous individuals. MS, meanwhile, has access to the source, so it increases their chances of finding it first.

      I'm not saying the closed-source approach is better, just that by the nature of the beast, OSS developers have to be more on the ball when it comes to releasing fixes quickly. That might explain why they usually are.

    2. Re:Amazing by cgenman · · Score: 3, Insightful

      How long does it take an experience cracker to build a no-CD crack for a game?

      Macrovision once estimated the time for an average game at 5 days, and touted that their software pushed that number back an additional week. Actual merits of Safe Disk aside, In the industry one assumes a one to two week window before pirated copies start arriving, unless your game is particularly popular and it gets cracked on release day or even before release.

      Having access to the source doesn't really make it any easier for a hacker to deconstruct the workings of the system. Binary Executables are uncompiled all of the time for compatibility purposes, it's really not much of an impediment.

      --
      The ______ Agenda