Anatomy of an emergency patch

Martin Englund, security engineer in the Java Network and Security group at Sun Microsystems, offers a blow-by-blow of how the company reacted to the Solaris Telnet zero-day

Martin Englund, security engineer in the Java Network and Security group at Sun Microsystems, offers a blow-by-blow of how the company reacted to the Solaris Telnet zero-day.

  • Feb 11, 2007 09:35 -- Link to the exploit posted in the security-discuss forum.
  • Feb 11, 2007 11:45 --  Bug filed (6523815, only accessible within Sun) and reply posted to the security-discuss forum.
  • Feb 11, 2007 15:03 --  First fix available internally
  • Feb 11, 2007 15:54 -- Code review performed
  • Feb 11, 2007 16:46 -- Newer, better, fix - involves using login(1)'s getopt() compliance and passing "--" between everything else and $USER.
  • Feb 11, 2007 16:51 -- RTI draft created
  • Feb 11, 2007 18:25 -- RTI submitted
  • Feb 11, 2007 18:31 -- RTI approved
  • Feb 11, 2007 18:33 -- Fix integrated into Nevada

All told, the entire process -- from discovery to full patch -- took nine hours, on a Sunday. Impressive.

Sun is not necessarily the poster child for quick turnaround of security fixes but, during this crisis, the company quickly acknowledged an "almighty cock-up" and was very transparent in its response. It's not often you get to tip your cap to a vendor like this.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All