Anatomy of an emergency patch

Anatomy of an emergency patch

Summary: Martin Englund, security engineer in the Java Network and Security group at Sun Microsystems, offers a blow-by-blow of how the company reacted to the Solaris Telnet zero-day

SHARE:
TOPICS: Oracle, Security
3

Martin Englund, security engineer in the Java Network and Security group at Sun Microsystems, offers a blow-by-blow of how the company reacted to the Solaris Telnet zero-day.

  • Feb 11, 2007 09:35 -- Link to the exploit posted in the security-discuss forum.
  • Feb 11, 2007 11:45 --  Bug filed (6523815, only accessible within Sun) and reply posted to the security-discuss forum.
  • Feb 11, 2007 15:03 --  First fix available internally
  • Feb 11, 2007 15:54 -- Code review performed
  • Feb 11, 2007 16:46 -- Newer, better, fix - involves using login(1)'s getopt() compliance and passing "--" between everything else and $USER.
  • Feb 11, 2007 16:51 -- RTI draft created
  • Feb 11, 2007 18:25 -- RTI submitted
  • Feb 11, 2007 18:31 -- RTI approved
  • Feb 11, 2007 18:33 -- Fix integrated into Nevada

All told, the entire process -- from discovery to full patch -- took nine hours, on a Sunday. Impressive.

Sun is not necessarily the poster child for quick turnaround of security fixes but, during this crisis, the company quickly acknowledged an "almighty cock-up" and was very transparent in its response. It's not often you get to tip your cap to a vendor like this.

Topics: Oracle, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • how about owning up to the blunder

    How about owing up to the mis-representation on on what was said and written by Rutkowska in your blog (link below) before making a flaw in Solaris to be a positive spin for SUN.

    http://blogs.zdnet.com/security/?p=29
    code_Warrior
  • Wait a second. "Fix integrated into Nevada" is the end of the process?

    By reading your timeline and the linked forum postings, it's not entirely clear, but I assume that "integrated into Nevada" means that the code change was submitted to the source control system of whatever Nevada is. Does that mean that the "entire process" is done? No.

    Where is the testing? Was any done? It certainly would take more than 1 hr 45 min (the time between "newer, better fix" and "fix integrated") to do thorough testing to make sure the fix didn't break anything. Plus, the timeline doesn't state whether the "newer, better fix" was ever code reviewed.

    What about deploying to customers? That certainly wasn't done by 18:33 either.

    Somehow, this doesn't make me feel any better about Sun's response process.
    PB_z
  • Now all we need

    Now all we need is for Microsoft to make short, sweet 9 hour patches instead of all of this long, bloated "we need to take a month" patches.
    CobraA1