Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

We won't tell you what this patch does, but apply it NOW

From: InfoSec News <isn () c4i org>
Date: Mon, 20 Aug 2001 01:49:59 -0500 (CDT)
http://www.theregister.co.uk/content/55/21115.html

By John Leyden
Posted: 17/08/2001 at 17:24 GMT

There's an extremely serious security problem with GroupWise that
requires an immediate patch, but the problem is apparently so bad that
Novell can't even bring itself to tell its users what it is.

The Utah-based software firm has issued an email to its GroupWise 5.5
Enhancement Pack or GroupWise 6 users asking them that to apply the
"Padlock Fix" to their servers immediately but isn't telling anybody
why it's needed, lest hackers exploit the problem on unpatched
systems.

Richard Bliss, marketing manager for Novell GroupWise, admitted it was
going against the grain in asking users to trust a software vendor
about the safety of applying a patch within their environment.

It was warning users about an unstated risk and urging them "in the
strongest language" to apply a patch before releasing details of what
it did for good reason, he claimed.

Bliss said the patch corrected a problem with Novell's GroupWise
software that has existed for two years but remained undiscovered and,
so far as he knew, unexploited by hackers. GroupWise 4.x, 5.0, 5.2,
and 5.5 servers and clients are not affected by the problem.

Bliss admitted the firm faced a dilemma about whether to fully inform
users about the problem, common practice with security problems which
has been followed by Novell in the past, but judged inappropriate in
this case.

The security problem here is so severe it needs a whole different type
of response, Bliss told us.

He acknowledged people will place the worst possible interpretation on
this and said Novell was prepared to "take a hit" on its reputation in
"order to protect the integrity of its customers".

So the bug must be bad then.

A link to server and less-critical client versions on the Padlock Fix
have been posted by Novell on its support site.

[Novell support site: http://support.novell.com/padlock/ ]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: