Anatomy of an emergency patch

Summary:Martin Englund, security engineer in the Java Network and Security group at Sun Microsystems, offers a blow-by-blow of how the company reacted to the Solaris Telnet zero-day

Martin Englund, security engineer in the Java Network and Security group at Sun Microsystems, offers a blow-by-blow of how the company reacted to the Solaris Telnet zero-day.

  • Feb 11, 2007 09:35 -- Link to the exploit posted in the security-discuss forum.
  • Feb 11, 2007 11:45 --  Bug filed (6523815, only accessible within Sun) and reply posted to the security-discuss forum.
  • Feb 11, 2007 15:03 --  First fix available internally
  • Feb 11, 2007 15:54 -- Code review performed
  • Feb 11, 2007 16:46 -- Newer, better, fix - involves using login(1)'s getopt() compliance and passing "--" between everything else and $USER.
  • Feb 11, 2007 16:51 -- RTI draft created
  • Feb 11, 2007 18:25 -- RTI submitted
  • Feb 11, 2007 18:31 -- RTI approved
  • Feb 11, 2007 18:33 -- Fix integrated into Nevada

All told, the entire process -- from discovery to full patch -- took nine hours, on a Sunday. Impressive.

Sun is not necessarily the poster child for quick turnaround of security fixes but, during this crisis, the company quickly acknowledged an "almighty cock-up" and was very transparent in its response. It's not often you get to tip your cap to a vendor like this.

Topics: Oracle, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.