Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Serious Security Hole in PuTTY, Fixed

Posted by timothy on from the fixation-nation dept.

Markaci writes "You may recall recently upgrading PuTTY. There is a new version, released 2004-10-26, which fixes a very similar security hole. The bug can allow servers that you think you can trust to execute code on the PuTTY client, even before you verify the hosts key while connecting using SSH2. You can be attacked before you know that you have connected to the wrong machine. Upgrade to version 0.56 now."

6 of 30 comments (clear)

  1. Re:Amazing by Westley · · Score: 4, Interesting

    While in general I agree that bugfixing tends to be fast in free software, I think PuTTY is a particularly exceptional case.

    This is because Simon (and the rest of the PuTTY team, I suspect) basically won't sleep knowing there's a significant security flaw.

    Considering this started off as just a way of getting a reasonable terminal emulator for Windows for personal use, I'm always amazed at how wide-spread PuTTY has become. Then again, it's a cracking piece of software.

    I used to use the fact that Tim Curry played Monopoly with my dad when they were kids as my kudos-by-proxy. Now it's being mates with Simon :)

  2. A silly explanation by BortQ · · Score: 4, Funny
    The exploit works like this:

    When putty goes out over the web, if an attacker can find it then they can press a piece of newsprint against it. Putty will come away from this with some arbitrary instructions left inside. Scary.

    The solution is to always keep your putty inside it's protective egg when in unknown territory.

    --

    A Multiplayer Strategy Game for Mac OS X, Windows, and Linux
  3. Re:Amazing by kayen_telva · · Score: 4, Funny

    he has a PHD in first posts

  4. Re:Amazing by QuantumG · · Score: 3, Interesting

    Can ya get him to accept my patch then? I've only emailed it to him about 5 times. Nothin' like gettin' snubbed by someone you're doing free work for.

    --
    How we know is more important than what we know.
  5. Re:Amazing by cgenman · · Score: 3, Insightful

    How long does it take an experience cracker to build a no-CD crack for a game?

    Macrovision once estimated the time for an average game at 5 days, and touted that their software pushed that number back an additional week. Actual merits of Safe Disk aside, In the industry one assumes a one to two week window before pirated copies start arriving, unless your game is particularly popular and it gets cracked on release day or even before release.

    Having access to the source doesn't really make it any easier for a hacker to deconstruct the workings of the system. Binary Executables are uncompiled all of the time for compatibility purposes, it's really not much of an impediment.

    --
    The ______ Agenda
  6. Re:Amazing by Simon+Tatham · · Score: 4, Funny

    Sorry about that. I've found your patch in my mail archives (although I only see two copies of it, not five!). As far as I can tell, both times it turned up when I had so much mail to read that I simply didn't have time to read it all.

    Delegation of work would be nice, but it's very difficult to find anyone competent to vet patches the same way we do, with full appreciation of issues such as portability. At the end of the day, the core PuTTY team need to personally check anything that goes into the code base, to prevent obvious security holes (although this isn't a great time to mention that, I know :-) and to ensure the long-term health and maintainability of the code. Even the very best patches I've received still need work before they're usable.

    Your patches look mostly sensible. I'll respond in detail by email.