[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20020914221251.GB94761@trance.org>
From: niels=netsys at bakker.net (Niels Bakker)
Subject: CERT..(the linux ssl issue) CA-2002-027
* len@...sys.com (Len Rose) [Sat 14 Sep 2002, 23:30 CEST]:
> Of course the alert is great, but to reiterate my point,
> too limited in scope and may lead to a false sense of
> complacency for non-linux sites.
I concur. I sent the mail below to the moderator of Bugtraq after he
rejected the posting included at the end. (I've removed his words.)
-- Niels.
----- Forwarded message -----
Date: Fri, 13 Sep 2002 21:17:06 +0200
From: Niels Bakker <niels=bugtraq@...ker.net>
To: Dave Ahmad <da@...urityfocus.com>
Subject: Re: bugtraq.c httpd apache ssl attack
Hi David,
Thanks for your quick reply.
[ david here states that he thinks my quoted statements were
superfluous, as the remedies proposed by some bugtraq posters
were only temporary measures. ]
I think it needs to be stated. Stopgap measures like those proposed by
those two subscribers give a false sense of security.
"Whew! /tmp/.bugtraq.c created and gcc disabled. I'm safe now!"
The reverse is true.
Given that most Outlook-borne viruses/worms continue to spread literally
years after Microsoft has made patches public that fix the holes these
exploit to spread, the message to patch your systems cannot be repeated
too often, in my opinion.
If I were a script kiddie, I'd quickly make a bugtraq2.c that used
mktemp() to select a filename and had appropriate workarounds for a
disabled gcc (i.e., carry a binary payload as well, or the ability to
download one from somewhere). It'd be reasonably successful, too, due
to wrong advice like that below being handed out on well-known forums
like Bugtraq.
No, the life of a security-conscious person isn't easy; on the contrary,
it's hard work staying on top of things. You're bound to miss things,
but you shouldn't make things worse by actively ignoring them.
>> Won't it be easiest to just upgrade to a non-vulnerable version of
>> OpenSSL and mod_ssl?
>>
>> Obviously way better than a stopgap measure that blocks one particular
>> implementation of an extremely wide range of attacks, I'd say.
Regards,
-- Niels.
--
"Patient" is Latin for "sufferer".
Powered by blists - more mailing lists