Anatomy of an emergency patch

Martin Englund, security engineer in the Java Network and Security group at Sun Microsystems, offers a blow-by-blow of how the company reacted to the Solaris Telnet zero-day

Martin Englund, security engineer in the Java Network and Security group at Sun Microsystems, offers a blow-by-blow of how the company reacted to the Solaris Telnet zero-day.

  • Feb 11, 2007 09:35 -- Link to the exploit posted in the security-discuss forum.
  • Feb 11, 2007 11:45 --  Bug filed (6523815, only accessible within Sun) and reply posted to the security-discuss forum.
  • Feb 11, 2007 15:03 --  First fix available internally
  • Feb 11, 2007 15:54 -- Code review performed
  • Feb 11, 2007 16:46 -- Newer, better, fix - involves using login(1)'s getopt() compliance and passing "--" between everything else and $USER.
  • Feb 11, 2007 16:51 -- RTI draft created
  • Feb 11, 2007 18:25 -- RTI submitted
  • Feb 11, 2007 18:31 -- RTI approved
  • Feb 11, 2007 18:33 -- Fix integrated into Nevada

All told, the entire process -- from discovery to full patch -- took nine hours, on a Sunday. Impressive.

Sun is not necessarily the poster child for quick turnaround of security fixes but, during this crisis, the company quickly acknowledged an "almighty cock-up" and was very transparent in its response. It's not often you get to tip your cap to a vendor like this.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All