[ISN] We won't tell you what this patch does, but apply it NOW

From: InfoSec News (isnat_private)
Date: Sun Aug 19 2001 - 23:49:59 PDT

  • Next message: InfoSec News: "[ISN] FBI blows Code Red all-clear"

    By John Leyden
    Posted: 17/08/2001 at 17:24 GMT
    There's an extremely serious security problem with GroupWise that
    requires an immediate patch, but the problem is apparently so bad that
    Novell can't even bring itself to tell its users what it is.
    The Utah-based software firm has issued an email to its GroupWise 5.5
    Enhancement Pack or GroupWise 6 users asking them that to apply the
    "Padlock Fix" to their servers immediately but isn't telling anybody
    why it's needed, lest hackers exploit the problem on unpatched
    Richard Bliss, marketing manager for Novell GroupWise, admitted it was
    going against the grain in asking users to trust a software vendor
    about the safety of applying a patch within their environment.
    It was warning users about an unstated risk and urging them "in the
    strongest language" to apply a patch before releasing details of what
    it did for good reason, he claimed.
    Bliss said the patch corrected a problem with Novell's GroupWise
    software that has existed for two years but remained undiscovered and,
    so far as he knew, unexploited by hackers. GroupWise 4.x, 5.0, 5.2,
    and 5.5 servers and clients are not affected by the problem.
    Bliss admitted the firm faced a dilemma about whether to fully inform
    users about the problem, common practice with security problems which
    has been followed by Novell in the past, but judged inappropriate in
    this case.
    The security problem here is so severe it needs a whole different type
    of response, Bliss told us.
    He acknowledged people will place the worst possible interpretation on
    this and said Novell was prepared to "take a hit" on its reputation in
    "order to protect the integrity of its customers".
    So the bug must be bad then.
    A link to server and less-critical client versions on the Padlock Fix
    have been posted by Novell on its support site.
    [Novell support site: http://support.novell.com/padlock/ ]
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 02:29:57 PDT