Business
Anatomy of an emergency patch
Martin Englund, security engineer in the Java Network and Security group at Sun Microsystems, offers a blow-by-blow of how the company reacted to the Solaris Telnet zero-day
Martin Englund, security engineer in the Java Network and Security group at Sun Microsystems, offers a blow-by-blow of how the company reacted to the Solaris Telnet zero-day.
- Feb 11, 2007 09:35 -- Link to the exploit posted in the security-discuss forum.
- Feb 11, 2007 11:45 -- Bug filed (6523815, only accessible within Sun) and reply posted to the security-discuss forum.
- Feb 11, 2007 15:03 -- First fix available internally
- Feb 11, 2007 15:54 -- Code review performed
- Feb 11, 2007 16:46 -- Newer, better, fix - involves using login(1)'s getopt() compliance and passing "--" between everything else and $USER.
- Feb 11, 2007 16:51 -- RTI draft created
- Feb 11, 2007 18:25 -- RTI submitted
- Feb 11, 2007 18:31 -- RTI approved
- Feb 11, 2007 18:33 -- Fix integrated into Nevada
All told, the entire process -- from discovery to full patch -- took nine hours, on a Sunday. Impressive.
Sun is not necessarily the poster child for quick turnaround of security fixes but, during this crisis, the company quickly acknowledged an "almighty cock-up" and was very transparent in its response. It's not often you get to tip your cap to a vendor like this.