On Thu, 15 Feb 2007, Joep Vesseur wrote:
Gadi,
[...]
One note: although it could just as well be a bug, who says it was not a
backdoor in the early 90's?
>
Also, I understand this does not work on older Solaris/SunOS systems
(anyone can verify?)
I can. It is not present in anything before Solaris 10.
which adds to my personal interest in the
possibility. I refuse to believe someone is that funny/sad.
Not sure what you mean here... You don't believe this is a (very
unfortunate) accident?
From where I stand (pretty close to the fire) this is pretty much
what it looks like (an extended multi-file, multi-entrance-point
change with unforseen and unnoticed interdependencies).
This needs to be further discussed, as your response here has been
awe-striking.
The remote possibility was raised, and for several reasons:
1. It just didn't seem to be possible such a vulnerability would exist,
yet it does.
2. It was a remote one (not raised by me, btw) which I wanted answers for
rather than let it die under the usual flames.
3. It was raised, we needed to discuss it.
Sun has been completely visible and did full-disclosure on the
vulnerability, how it got there, etc. I have to tip my hat to you and
thank you for your help with this.
I believe the entire industry should thank you, and follow your lead.
This is the first case where I have seen a vendor respond in such
fashion. It is to be commended yet again. You have proven what being open
with the community can achieve.
This is a serious F up on the side of Sun. Everyone makes mistakes
and incidents will happen no matter what. What matters here is how you
responded to the incident when it did happen.
Gadi.
Joep
