Sendmail Hit by Data Interception Flaw 208
ricepudd writes "Computer Weekly reports that Internet security researchers have discovered a serious flaw in Sendmail. The flaw could allow remote attackers to take control of users' PCs. The Sendmail Consortium urged users to upgrade to version 8.13.6 of the software, which contains a fix to the problem. Computer Weekly seems to think that the fact that the Windows version isn't affected will help curtail the threat."
can someone explain... (Score:2, Insightful)
(Yes, tongue is firmly in cheek here...)
Why would this qualify as serious if there isn't even a known way to exploit it yet? Or was there one in there I missed?
Insufficient data. (Score:5, Insightful)
There are also multiple ways of configuring sendmail when compiling it, which tells me that whilst an upgrade may be important, it may be much more important for some users than others.
Also, saying it doesn't affect Windows is unclear. Does it not affect Windows when you use some official
The report, as described, is about as useful as saying "we think we know a way by which under certain circumstances that we know, another may think they know a way by which you might have an increased chance of being struck by an asteroid". If you don't know what the way is, or what those circumstances might be, the information has little value. Sure, it has some in that they provide a bugfixed release, but we don't know how long the bug has existed and therefore have absolutely bugger all way of quantifying what the risk is that a server has already been compromised. It only prevents uncompromised servers from being attacked by this method in future.
Just because the press release is dated XYZ does not mean that every Black Hat under the sun hasn't got a CD-ROM filled with exploits for it and a list of backdoors on cracked sites from three years back. XYZ is merely the date the rest of us know about it. You don't maintain a secure system by assuming all crackers only know the exploits you've fixed. You maintain a secure system by assuming at least one cracker has the means to discover the exploits you've neither heard of nor have patches for - ie: by assuming you're running buggy software and taking the necessary steps to limit what those bugs can do.
Re:Sendmail - now in its third decade of exploits (Score:5, Insightful)
We've been struggling with Linux exploits since its birth, too. Shall we "drop the turkey" every time a new Linux exploit pops up, too, or should we acknowledge that it's a complicated piece of software whose security generally improves as it matures? I thought so.
Oh, and just for good measure...
Results 1 - 10 of about 203,000 for qmail exploit.
Results 1 - 10 of about 283,000 for postfix exploit.
I note that those queries generate about 1/3 and about 1/2 as many results, respectively, for products that have existed for about 1/10 as long as sendmail. By your ridiculously flawed "Google logic", qmail and postfix are far more dangerous "turkeys" than sendmail.
Re:Who the hell still uses sendmail? (Score:1, Insightful)
Go back to your mom's basement.
Re:The inevitable 'use postfix!' post.... (Score:5, Insightful)
These are all good things, and it seems to me to be a bit two-faced to say that the power of open source is that there are many eyes on the source, and then to punish the software with the most eyes on it. Sendmail has been the heart of mail on the Internet for decades, and deservedly will continue to do so for the forseeable future.
These bugs demonstrate the old saying: where there is code, there are bugs. I'll stick with software that has already had the vast majority of its security problems shaken out.
First in two years (Score:5, Insightful)
2 in March 2003
1 in August 2003
1 in September 2003
1 in March 2006
2.5 years between vulnerabilities? Not too shabby, IMHO.
There is, however, one unpatched vulnerability, though the worst it can do is hide details from the log.
Re:Sendmail - now in its third decade of exploits (Score:3, Insightful)
We've been struggling with Windows exploits since its birth, too, and most of the
And now watch my karma vanish in an instant.
Re:The inevitable 'use postfix!' post.... (Score:3, Insightful)
Unlike sendmail, it was designed to be secure. I'll take the one for which security was not an afterthought, thankyouverymuch.