Anatomy of an emergency patch

Martin Englund, security engineer in the Java Network and Security group at Sun Microsystems, offers a blow-by-blow of how the company reacted to the Solaris Telnet zero-day.

• Feb 11, 2007 09:35 -- Link to the exploit posted in the security-discuss forum.
• Feb 11, 2007 11:45 --  Bug filed (6523815, only accessible within Sun) and reply posted to the security-discuss forum.
• Feb 11, 2007 15:03 --  First fix available internally
• Feb 11, 2007 15:54 -- Code review performed
• Feb 11, 2007 16:46 -- Newer, better, fix - involves using login(1)'s getopt() compliance and passing "--" between everything else and $USER.
• Feb 11, 2007 16:51 -- RTI draft created
• Feb 11, 2007 18:25 -- RTI submitted
• Feb 11, 2007 18:31 -- RTI approved
• Feb 11, 2007 18:33 -- Fix integrated into Nevada

All told, the entire process -- from discovery to full patch -- took nine hours, on a Sunday. Impressive.

Sun is not necessarily the poster child for quick turnaround of security fixes but, during this crisis, the company quickly acknowledged an "almighty cock-up" and was very transparent in its response. It's not often you get to tip your cap to a vendor like this.