OpenSSH Patches 2nd Flaw
Web Design & Technology News, September 24, 2003

New Adobe Creative Suites
Google Ads Milestone
VeriSign Settles w/ FTC
OpenSSH Patches 2nd Flaw
Google's Local Search
Yahoo! Product-compare
VeriSign Defies ICANN
ICANN Responds to VeriSign
ISPs Limit Transfer Volume
Open-souce Security Flaws
VeriSign's SiteFinder Sued
DB2 Linux Security Flaw
MSFT Adopts Wi-Fi 802.11g

VeriSign's 404 Handling
Sun SW Intros@Confab
Symantec Security Servers
VCs Get More for Their $
Bright Outlook for HDDs
More Holes in MSFT Windows
New Macromedia Web Tools
IE Patch Doesn't Work
Scaled-down Intel Itanium-IIs
Lycos E-mail Troubles
IBM+Borland Challenge MSFT
Verizon Puts $1B into 3G
DOJ OKs Yahoo+Overture

More Web Design News:
2008 Current News
2008 June
2007 June
2007 May
2007 March
2006 November
2006 September
2006 August
2006 July
2006 June
2006 May
2006 April
2006 March
2006 February
2006 January
2005 December
2005 November
2005 October
2005 September
2005 August
2005 July
2005 June
2005 May
2005 April
2005 March
2005 February
2004 March
2004 February
2004 January
2003 December
2003 November
2003 October
2003 September
2003 August
2003 July
2003 June
2003 March - May

September 24, 2003

The open-source project for secure communications technology, known as OpenSSH, plugged a second security hole on Tuesday that affects only users who have turned off a critical security feature.
By Robert Lemos

The flaw appears in an open-source implementation of the Pluggable Authentication Modules (PAMs), a technology adopted by Sun Solaris, Linux and BSD systems to let system administrators easily change the way users log into computers. The default login procedure could be changed to a smart-card-based procedure using a PAM, for example.

The project started using open-source versions of the new PAM functions in the latest release of OpenSSH. However, as with a flaw found last week, the current vulnerability affects only versions of OpenSSH that have a security technology known as privilege separation turned off.

"It is unexploitable in the default configuration," said Theo de Raadt, a cofounder of the OpenSSH project. Moreover, he said, the flaw apparently affects only OpenSSH running on Sun Solaris servers.

Privilege separation is a security mechanism that essentially divides programs into two parts: a small component with system privileges that can modify almost any file on the computer, and the rest of the program, which runs with restricted privileges. The mechanism reduces the size of the code that software engineers have to audit carefully, making the program easier to secure.

"It takes a regular bug that could be escalated (by an attack) and protects you from it," de Raadt said.

For that reason, knowledgeable system administrators will likely not turn off the function. In that case, they wouldn't be affected by the newly discovered flaw.

After the flaw appeared on the popular Slashdot news blog, de Raadt criticized coverage of the issue as much ado about nothing. While acknowledging that the maintainers of OpenSSH had fixed two flaws in two weeks, he stressed that neither flaw affects systems in the default configuration.

"Open-source flaws that affect a handful of systems are getting as much coverage as Microsoft flaws that are affecting millions of systems," he said. It's unknown how many computer systems or network devices that use the OpenSSH code may have turned off privilege separation.

Information on the latest flaw and a link to the latest patch can be found on the OpenSSH Web site.

Back to the Top

© Copyright 2007, All rights reserved | Privacy

Web Design Forums | Web Design News | Advertise | About Us | Contact Us | W3C HTML

Related Websites: New-York-WebDesign.com