Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Serious Security Hole in PuTTY, Fixed

Posted by timothy on from the fixation-nation dept.

Markaci writes "You may recall recently upgrading PuTTY. There is a new version, released 2004-10-26, which fixes a very similar security hole. The bug can allow servers that you think you can trust to execute code on the PuTTY client, even before you verify the hosts key while connecting using SSH2. You can be attacked before you know that you have connected to the wrong machine. Upgrade to version 0.56 now."

9 of 30 comments (clear)

  1. Re:Amazing by Westley · · Score: 4, Interesting

    While in general I agree that bugfixing tends to be fast in free software, I think PuTTY is a particularly exceptional case.

    This is because Simon (and the rest of the PuTTY team, I suspect) basically won't sleep knowing there's a significant security flaw.

    Considering this started off as just a way of getting a reasonable terminal emulator for Windows for personal use, I'm always amazed at how wide-spread PuTTY has become. Then again, it's a cracking piece of software.

    I used to use the fact that Tim Curry played Monopoly with my dad when they were kids as my kudos-by-proxy. Now it's being mates with Simon :)

  2. A silly explanation by BortQ · · Score: 4, Funny
    The exploit works like this:

    When putty goes out over the web, if an attacker can find it then they can press a piece of newsprint against it. Putty will come away from this with some arbitrary instructions left inside. Scary.

    The solution is to always keep your putty inside it's protective egg when in unknown territory.

    --

    A Multiplayer Strategy Game for Mac OS X, Windows, and Linux
  3. Re:Amazing by kayen_telva · · Score: 4, Funny

    he has a PHD in first posts

  4. Re:Amazing by ctr2sprt · · Score: 2, Insightful
    While OSS has an advantage that bugs get fixed faster with more people available to work on them, it also has the disadvantage that the bugs are apparent to anyone who takes the time to look. So instead of having to pore through a million lines of assembler code and stack traces, you just look at the parts of the code where a buffer overflow might show up.

    The moral of the story: it may take MS a month to roll out a fix, but it may also take a month longer for the bug to be discovered by unscrupulous individuals. MS, meanwhile, has access to the source, so it increases their chances of finding it first.

    I'm not saying the closed-source approach is better, just that by the nature of the beast, OSS developers have to be more on the ball when it comes to releasing fixes quickly. That might explain why they usually are.

  5. Re:Latest version by irc.goatse.cx+troll · · Score: 2, Informative

    Thats nice if you want a trojaned ssh client. The rest of use just google I'm feeling lucky "putty.exe".

    If you don't believe me that its trojaned, scan it in any current antivirus software -- It submits your password via some custom protocol via the same port RealMedia uses. Nice try, script kiddie.

    --
    Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
  6. Re:Amazing by QuantumG · · Score: 3, Interesting

    Can ya get him to accept my patch then? I've only emailed it to him about 5 times. Nothin' like gettin' snubbed by someone you're doing free work for.

    --
    How we know is more important than what we know.
  7. Re:Amazing by Anonymous Coward · · Score: 2, Interesting
    How long does it take an experience cracker to build a no-CD crack for a game? They dont call it zero day warez for nothing.
    For the most part, copy protection is the same, so they only have to crack it once and it will work mostly-unmodified on many different games. Also, they don't need to exploit the copy protection, they just strip it out entirely so it's never even used. They don't exploit holes, they exploit the ability of the user to replace the game .exe with a new one.

    But the concern, the real concern, is not from a script kiddie using a year old exploit and turning your box into a porn site. The real concern is from someone finding a new exploit, breaking into a important system, undetected, and steal or alter data.
    You're both right and wrong. It's "security by volume," in a way. You have to worry more about script kiddies because there are a lot more of them and the scripts are designed to trawl a huge number of machines all at once.

    The highly-talented individuals who write the scripts the kiddies use are more dangerous, per-person, but there are also far fewer of them. So while they can do more damage individually, as a group they actually do less... though usually their type of damage is far more severe.

    Your analysis of the disadvantages of closed-source software is also a little pessimistic. Assuming no other security measures in place, you'd be right. But a good, layered security approach will make a hacker's job much harder since it increases the number of vulnerabilities he needs to find. With a decent IDS running on the network and hidden from the intruder you should be able to replay his attack and report it to MS, who can then look at the source and figure out how to fix it. While all this is going on, only that one hacker knows how to duplicate his efforts. If he releases his exploit into the wild MS can quickly understand exactly how it works and release a patch in a matter of hours (if they choose to); if he doesn't, then the danger is low because he can only attack a certain number of computers at once.

    It's a definite balancing act, and if you're a big or important site like amazon.com or a bank, you should probably worry more about the individuals than the kiddies. But 99.995% of the Internet should be more concerned about the ignorant masses who can't do anything but run scripts on their DSL subnets.

  8. Re:Amazing by cgenman · · Score: 3, Insightful

    How long does it take an experience cracker to build a no-CD crack for a game?

    Macrovision once estimated the time for an average game at 5 days, and touted that their software pushed that number back an additional week. Actual merits of Safe Disk aside, In the industry one assumes a one to two week window before pirated copies start arriving, unless your game is particularly popular and it gets cracked on release day or even before release.

    Having access to the source doesn't really make it any easier for a hacker to deconstruct the workings of the system. Binary Executables are uncompiled all of the time for compatibility purposes, it's really not much of an impediment.

    --
    The ______ Agenda
  9. Re:Amazing by Simon+Tatham · · Score: 4, Funny

    Sorry about that. I've found your patch in my mail archives (although I only see two copies of it, not five!). As far as I can tell, both times it turned up when I had so much mail to read that I simply didn't have time to read it all.

    Delegation of work would be nice, but it's very difficult to find anyone competent to vet patches the same way we do, with full appreciation of issues such as portability. At the end of the day, the core PuTTY team need to personally check anything that goes into the code base, to prevent obvious security holes (although this isn't a great time to mention that, I know :-) and to ensure the long-term health and maintainability of the code. Even the very best patches I've received still need work before they're usable.

    Your patches look mostly sensible. I'll respond in detail by email.