[Full-Disclosure] CERT..(the linux ssl issue) CA-2002-027

From: Niels Bakker (niels=netsys@bakker.net)
Date: 09/15/02

From: niels=netsys@bakker.net (Niels Bakker)
Date: Sun, 15 Sep 2002 00:12:51 +0200

* len@netsys.com (Len Rose) [Sat 14 Sep 2002, 23:30 CEST]:
> Of course the alert is great, but to reiterate my point,
> too limited in scope and may lead to a false sense of
> complacency for non-linux sites.

I concur. I sent the mail below to the moderator of Bugtraq after he
rejected the posting included at the end. (I've removed his words.)

        -- Niels.

----- Forwarded message -----

Date: Fri, 13 Sep 2002 21:17:06 +0200
From: Niels Bakker <niels=bugtraq@bakker.net>
To: Dave Ahmad <da@securityfocus.com>
Subject: Re: bugtraq.c httpd apache ssl attack

Hi David,

Thanks for your quick reply.

[ david here states that he thinks my quoted statements were
  superfluous, as the remedies proposed by some bugtraq posters
  were only temporary measures. ]

I think it needs to be stated. Stopgap measures like those proposed by
those two subscribers give a false sense of security.

"Whew! /tmp/.bugtraq.c created and gcc disabled. I'm safe now!"

The reverse is true.

Given that most Outlook-borne viruses/worms continue to spread literally
years after Microsoft has made patches public that fix the holes these
exploit to spread, the message to patch your systems cannot be repeated
too often, in my opinion.

If I were a script kiddie, I'd quickly make a bugtraq2.c that used
mktemp() to select a filename and had appropriate workarounds for a
disabled gcc (i.e., carry a binary payload as well, or the ability to
download one from somewhere). It'd be reasonably successful, too, due
to wrong advice like that below being handed out on well-known forums
like Bugtraq.

No, the life of a security-conscious person isn't easy; on the contrary,
it's hard work staying on top of things. You're bound to miss things,
but you shouldn't make things worse by actively ignoring them.

>> Won't it be easiest to just upgrade to a non-vulnerable version of
>> OpenSSL and mod_ssl?
>> Obviously way better than a stopgap measure that blocks one particular
>> implementation of an extremely wide range of attacks, I'd say.


        -- Niels.

"Patient" is Latin for "sufferer".

Relevant Pages

  • Re: Citizen reload?
    ... assume that a second magazine should be considered standard ... False sense of security for someone that is uninformed. ... second mag can make you better prepared and hence likely to be safer. ...
  • Re: Citizen reload?
    ... "Peter Franks" wrote in message ... False sense of security for someone that is uninformed. ... Sorry, but you haven't put anything concrete on the table and you've ignored, for the most part, those people that have explained to you why a second mag can make you better prepared and hence likely to be safer. ...
  • Re: flattering to deceive
    ... flattering to deceive in the earlier rounds, ... I use "a false sense of security" and don't ...
  • Re: Table Saw purchase question
    ... have a false sense of security from having a saw that makes a workshop safe ... detector or carbon monoxide detector in your home Tyrone? ... The degree to which any safety device contributes to the utilitarian value to the owner varies with the ....owner. ...
  • Re: The ELUSIVE and misrepresented "SYSTEM RESTORE"..
    ... "SYSTEM RESTORE" or the much touted concept of it even exist if it ... security and the fact that as long as you set restore points (in ... computer, and you make a mistake, whether it is your fault or the ... false sense of security that System Restore will put your computer ...