10 year old sendmail bug

Subject: 10 year old sendmail bug
From: Gary Stoneburner <gary.stoneburner@nist.gov>
Date: Wed, 19 Mar 2003 13:52:47 -0500
Content-Type: multipart/alternative; boundary="=====================_189481390==.ALT"

re: http://www.computerworld.com/securitytopics/security/story/0,10801,79123,00.html

MARCH 10, 2003

"Has your sendmail been patched? Are you sure? If the answer is no, stop reading this and get it taken care of. Not later today. Not later this minute. You're already a week behind, and hackers have had exploit code working since last Tuesday. There are no work-arounds. Your firewall won't protect you. Your virus scanner won't protect you. ..."

"And since it took less than 48 hours for two separate groups of hackers to come up with working attacks on this security hole after it was officially announced, you can reasonably expect attacks to show up on the Internet pretty quickly, too. "

"It's no simple buffer-overflow problem, like so many we've heard about. In this case, the buffer that lets the bad guys in is checked to make sure it doesn't overflow. Trouble is, there's a bug in one of the checking routines. And if a bad guy exploits that coding error -- but only if the bad guy knows exactly how to exploit that specific coding error -- sendmail is vulnerable. Which explains why it took 10 years for anyone to spot the problem, and why it was Internet Security Systems in Atlanta that spotted it, not some malicious adolescent in his bedroom. The problem was buried deep in code that has been available to security experts and nasty crackers alike -- and until now, no one spotted it. "

"... We're finding and fixing the flaws deep in the bedrock of our IT infrastructure. And that makes us much safer. "

Wait a minute there sport! So you think that there are no bad guys that knew about this bug last year or the year before or the year before that? Do they already own your system? Do you think that there are no other bugs that a bad guy knows about that we don't?

Remember - those patches and work-arounds you have are there ONLY because the guy who found the bug choose to tell us about it. How about the possibility that there are guys in the business of finding bugs and not telling?

Cheers,
Gary

************************************************************************** * Opinions expressed are not intended to reflect an official position ************************************************************************** * Gary Stoneburner
* Computer Security Division, National Institute of Standards & Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20877-8930
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
**************************************************************************

Prev by Date: Exploding Chips
Next by Date: Another one - this time a long-standing Windows bug
Prev by thread: Another one - this time a long-standing Windows bug
Next by thread: Exploding Chips

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov