Another Serious Security Hole in PuTTY, Fixed 30
Markaci writes "You may recall recently upgrading PuTTY. There is a new version, released 2004-10-26, which fixes a very similar security hole. The bug can allow servers that you think you can trust to execute code on the PuTTY client, even before you verify the hosts key while connecting using SSH2. You can be attacked before you know that you have connected to the wrong machine. Upgrade to version 0.56 now."
Re:Amazing (Score:5, Interesting)
This is because Simon (and the rest of the PuTTY team, I suspect) basically won't sleep knowing there's a significant security flaw.
Considering this started off as just a way of getting a reasonable terminal emulator for Windows for personal use, I'm always amazed at how wide-spread PuTTY has become. Then again, it's a cracking piece of software.
I used to use the fact that Tim Curry played Monopoly with my dad when they were kids as my kudos-by-proxy. Now it's being mates with Simon
Re:Amazing (Score:4, Interesting)
Re:Amazing (Score:2, Interesting)
The highly-talented individuals who write the scripts the kiddies use are more dangerous, per-person, but there are also far fewer of them. So while they can do more damage individually, as a group they actually do less... though usually their type of damage is far more severe.
Your analysis of the disadvantages of closed-source software is also a little pessimistic. Assuming no other security measures in place, you'd be right. But a good, layered security approach will make a hacker's job much harder since it increases the number of vulnerabilities he needs to find. With a decent IDS running on the network and hidden from the intruder you should be able to replay his attack and report it to MS, who can then look at the source and figure out how to fix it. While all this is going on, only that one hacker knows how to duplicate his efforts. If he releases his exploit into the wild MS can quickly understand exactly how it works and release a patch in a matter of hours (if they choose to); if he doesn't, then the danger is low because he can only attack a certain number of computers at once.
It's a definite balancing act, and if you're a big or important site like amazon.com or a bank, you should probably worry more about the individuals than the kiddies. But 99.995% of the Internet should be more concerned about the ignorant masses who can't do anything but run scripts on their DSL subnets.