Buffer Overflow in Sendmail 478
ChiefArcher writes "On the footsteps of openssh, Sendmail 8.12.10 has just been released due to a buffer overflow in address parsing. Sendmail states this is potentially remotely exploitable. No updates on the Sendmail site yet, but the FTP site has the release notes."
Nice week for open source (Score:5, Insightful)
Re:*cough* (Score:3, Insightful)
The difference is that Microsofts patches take forever to come out and introduce more holes than anything else.
In linux patches come out the same day... and are well documented.
Re:OpenSSH as well (Score:5, Insightful)
It's a paradox that people who are so paranoid when it comes to security (there are no proof of concept remote exploits for either of these holes), would download patches from where ever and who ever.
Posts like the parent ("get latest patch from me!") always get moderated up, so there must be somebody downloading and installing them. Maybe I shouldn't give people ideas.
Before the Microsoft defenders say it... (Score:3, Insightful)
It is true that any system can have unintentional bugs that lead to security vulnerabilities. This is true of any system and not just Microsoft. Therefore, Microsoft should not be unfairly bashed due to these kinds of bugs, any more than any other system.
But there is another kind of security problem for which Microsoft is deservedly bashed. The problem Microsoft is bashed for having poor security is when their system is insecure in its design. (It may not have been a design goal.)
Examples would include, running a webserver under the System or Administrator account so that once it is compromised, the system is rooted. Installing and activating services by default. These problems are all caused by security having a low priority in the past, and Microsoft is deservedly bashed for these. Nimbda or Slammer may be buffer overflows which could happen to anyone, but there is some deserved criticism as to why it was such a huge problem.
No doubt, sendmail also deserves some criticism.
I wonder how many Linux/Apache systems get web pages defaced via. SQL injection or other PHP related attacks, but do not lead to the box being rooted? Any numbers?
Re:*cough* (Score:3, Insightful)
Sendmail has never had a good reputation for code quality. MS doesn't either. Whats your point?
Re:*cough* (Score:2, Insightful)
Re:Fix this at the language level? (Score:1, Insightful)
Re:*cough* (Score:3, Insightful)
Maybe the reason MS and sendmail products are so often compromized is that they are both very popular and thus are a good target for security companies? You would not get a big fame (did I say money?) for finding bugs in some obscure product. However finding bug in any Microsoft product or sendmail will bring you to headlines immediately.
Re:*cough* (Score:3, Insightful)
Really? What holes were introduced by, say, the Blaster worm patch? Or any other patches you care to name?
Can't argue about the speed of patches, exactly, but I'd point out that MS almost always releases a patch before the bug in question is widely exploited -- the problem with the last few worms/viruses was more with unpatched systems than lack of responsiveness on MS's part. MS could come out with a patch within a nanosecond of an exploit's discovery and there would still be millions of people who wouldn't bother applying it. That's hardly a problem that's unique to Windows -- I bet you can still find lots of Apache installations out there with known security holes.
Acutally their is a BIND9 patch today... (Score:4, Insightful)
Re:Sendmail's future (Score:5, Insightful)
A fairer assessment is that, when sendmail was designed, security was not as big an issue as it has become today. And in their defense, they do seem quite good about notifying people when vunerabilities arise and releasing fixes as quickly as possible.
That being said, sendmail is a pain in the ass. You have to remember that when sendmail was developed, there were many different mail protocols (besides SMTP), and sendmail had to support all of them -- this is why sendmail config files are so darned complex and unreadable. The vast majority of those have faded into obscurity, so subsequent products, like Postfix, can be much simpler and less complex and, thus, more likely to be secure. For a long time, sendmail was the only choice for a real MTA, but I think Postfix has proven itself a worthy successor.
Re:Patch delivery mechanism (Score:5, Insightful)
You mean when Microsoft publicly discloses the exploit, usually weeks after it was first reported across the Internet?
Re:What Sendmail security problem? (Score:5, Insightful)
To all the Microsoft bashers out there.... (Score:2, Insightful)
Seriously. How many people out there are running sendmail and don't read slashdot (thus never getting notification?). How many people are running a brand-spankin-new linux distro that came set up out of the box with sendmail, and don't even know they're running it? How many know they have it but just don't give a shit?
Yes, the patch was released quickly. But how easily is it widely distributed? Windows may have buggy software - but so does the rest of the world, atleast MS put automatic WindowsUpdate in XP to help take care of the distribution problem.
Some people already are saying "well, MS code sucks, and so does sendmail's"
So there.
Re:OpenSSH as well (Score:4, Insightful)
One of the pluses of open source is that you have the ability to look at the code and determine exactly what the patch changes. For a small patch most sysadmins, even though they might not be an "elite" programmer, can determine that the code does some extra boundary checking or the like.
I would hope that sysadmins do this before installing code from an unknown source.
Re:Sendmail's future (Score:3, Insightful)
The right answer is to embark on a methodology for trying to root out the bugs, and/or use technologies that are intrinsically more resilient in the first place. While a rewrite in Java or Python are problematic ideas from the very get go (either requiring an installed and functional JVM, or being as slow as a post), one can at least address the ANSI C string library weakness (the obvious lowest hanging fruit) by using a substitute [sf.net].
Look guys -- this is an opportunity. Microsoft thumbs their collective noses at Open Source people because they believe that they are more innovative. If the Linux community is able to put forth mechanisms, ideas, and possibly tools that truly address the "safe programming" issue, then this would be a quick slap in their face.
Steve Ballmer has started pounding his fist and making prognostications about how Microsoft is going to deal with security via their innovation. Of course its nonsense -- but people will only realize this *if* the Open Source community is able to step up to the plate and *demonstrate* their superior solution.
Re:Sendmail's future (Score:3, Insightful)
Absolutely. In sendmail's heyday, the internet was a collection of several hundred .edu and .mil organizations, with a few .com technology companies thrown in, notably IBM and DEC. The few hundred thousand people on the net tended to be researchers and faculty in technical fields and their students. Security was very lax because it was a relatively small, closed, professional society. People simply didn't worry about security.
It is probably time to either move to a new MTA or rewrite sendmail form the ground up.
I USE SENDMAIL BECAUSE I NEED UUCP (Score:1, Insightful)
You people are almost as irritating as Christians trying to win converts!
*nix users vs. Windows proponents (Score:2, Insightful)
Interestingly, *nix users don't seem to howl at Slashdot for publishing every vulnerability that comes along in *nix, rather there are discussions of the best way to patch etc, whereas I've noticed that every time there is an post about the latest Windows/IE/SQL Server/?? hole, there is a deluge of postings from defensive MSFT zealots who loudly complain that the Slashdot world is picking on them. Odd.
Re:"Email Different" (Score:5, Insightful)
I need a mail server for non-sensitive e-mails. If someone roots Hotmail's server, I couldn't care less about it. If someone roots my server, then it's a whole different matter. I also use it to prevent handing out my real email address to the myriad of sites that require e-mail registration and for usenet postings.
So yes, in my case Hotmail is a very secure solution.
Re:This is getting silly (Score:2, Insightful)
People bash Micro$loth because their software has an inherently insecure architecture (e.g. - unnecessary services enabled by default, services running with admin rights, etc.), not just being poorly coded. But then again there are some inherent shortcomings in older *NIX software and sendmail is just one example.
Even the Internet as a whole. Back when the Internet was exclusively a failsafe/experimental communication backup for military installations and college campuses it was never meant to be secure in the software sense. It was secure more in terms of physical access. For example, there probably wouldn't be a compromise of an Air Force computer room if external "bad guys" couldn't get physical access into the room and room activities were strictly monitored for internal users. There was never the assumption that the general public would all share remote access to the Internet.
That being said, it will obviously take a massive effort not just to code new software more securely, but to review, patch, or pitch legacy code such as seen in stories like this. Each generation of computer users is savvier and savvier, as most exploits are propagated by kids who toilet paper houses on the weekend. And that is a scary thought if I was Joe Head-up-my-ass PHB too cheap to update/upgrade/migrate software and still running old crap like this.
Re:OpenSSH as well (Score:3, Insightful)
Considering that a lot of mods don't even seem to READ the posts they mod, I doubt they checked out the link.
Re:To all the Microsoft bashers out there.... (Score:3, Insightful)
http://www.pivx.com/larholm/unpatched/
As for being informed, if Slashdot is your only source for notification about security vulnerabilites, you have bigger problems than a single sendmail exploit.
Re:Patch delivery mechanism (Score:3, Insightful)
apt-get upgrade
Stick it in a cronjob.
Yikes! Remind me to never give you a job as an admin for any of my computers. While that sort of thing might be acceptable for a home desktop, it's suicide on a corporate server...