Another Serious Security Hole in PuTTY, Fixed

Markaci writes "You may recall recently upgrading PuTTY. There is a new version, released 2004-10-26, which fixes a very similar security hole. The bug can allow servers that you think you can trust to execute code on the PuTTY client, even before you verify the hosts key while connecting using SSH2. You can be attacked before you know that you have connected to the wrong machine. Upgrade to version 0.56 now."

Re:Amazing

[Westley]

While in general I agree that bugfixing tends to be fast in free software, I think PuTTY is a particularly exceptional case.

This is because Simon (and the rest of the PuTTY team, I suspect) basically won't sleep knowing there's a significant security flaw.

Considering this started off as just a way of getting a reasonable terminal emulator for Windows for personal use, I'm always amazed at how wide-spread PuTTY has become. Then again, it's a cracking piece of software.

I used to use the fact that Tim Curry played Monopoly with my dad when they were kids as my kudos-by-proxy. Now it's being mates with Simon :)

Re:Amazing

[QuantumG]

Can ya get him to accept my patch then? I've only emailed it to him about 5 times. Nothin' like gettin' snubbed by someone you're doing free work for.

Re:Amazing

[Anonymous Coward]

How long does it take an experience cracker to build a no-CD crack for a game? They dont call it zero day warez for nothing.

For the most part, copy protection is the same, so they only have to crack it once and it will work mostly-unmodified on many different games. Also, they don't need to exploit the copy protection, they just strip it out entirely so it's never even used. They don't exploit holes, they exploit the ability of the user to replace the game .exe with a new one.

But the concern, the real concern, is not from a script kiddie using a year old exploit and turning your box into a porn site. The real concern is from someone finding a new exploit, breaking into a important system, undetected, and steal or alter data.

You're both right and wrong. It's "security by volume," in a way. You have to worry more about script kiddies because there are a lot more of them and the scripts are designed to trawl a huge number of machines all at once.

The highly-talented individuals who write the scripts the kiddies use are more dangerous, per-person, but there are also far fewer of them. So while they can do more damage individually, as a group they actually do less... though usually their type of damage is far more severe.

Your analysis of the disadvantages of closed-source software is also a little pessimistic. Assuming no other security measures in place, you'd be right. But a good, layered security approach will make a hacker's job much harder since it increases the number of vulnerabilities he needs to find. With a decent IDS running on the network and hidden from the intruder you should be able to replay his attack and report it to MS, who can then look at the source and figure out how to fix it. While all this is going on, only that one hacker knows how to duplicate his efforts. If he releases his exploit into the wild MS can quickly understand exactly how it works and release a patch in a matter of hours (if they choose to); if he doesn't, then the danger is low because he can only attack a certain number of computers at once.

It's a definite balancing act, and if you're a big or important site like amazon.com or a bank, you should probably worry more about the individuals than the kiddies. But 99.995% of the Internet should be more concerned about the ignorant masses who can't do anything but run scripts on their DSL subnets.