Re: GMail / Google Groups ESMTP software b0f

[Heather Adkins <hadkins () google com>]

> There is a very strong indication for this being a buffer overflow in a
> non-forking daemon, rather than a preemptive IDS strike. The threshold for
> the number of characters prompting an overflow; the delayed effect of an
> overflow; the fact it is affected only by the last EHLO; and the global
> unavailability of the service - all are a clear indication of a classic
> b0f related crash.

The actual nature of this flaw was a bug that resulted in memory
exhaustion.  What you uncovered was a DoS that didn't actually affect
the security of the system, only the availability.  We'd like to
stress that this didn't affect our users as the resulting behavior
merely delays email.  Since we fixed the bug quickly, this didn't
happen.

> I notified Google today. It is my understanding that they do not routinely
> communicate with researchers or the community on security problems in
> their code, so I am not coordinating a response in any way. The problem
> may or may not be fixed by now.

We do read external communications sent to us and are greatly
appreciative of any and all reports we receive.  As for communicating
with others I would hope that recent press articles would alleviate
the misconception that we do not work with others.  We even post to
our company blog (http://www.google.com/googleblog/) about various
incidents as necessary.  So I am sadly disappointed that you were
under the impression we wouldn't take action on your report.

Just so that everyone knows, we have an official external email address 
for reports of this kind: security () google com

> PS. If that trivial flaw is representative of the quality of server-side
> code beyond some of Google services, I would worry - but take this opinion
> with a grain of salt.

Gmail is a Beta product and we are still working out the kinks!

-Heather


-- 
Heather Adkins <hadkins () google com>
Google Security Team