Feeds

Light shed on Novell's darkest security secret

Novell explains its Padlock Fix

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Updated Novell users are at last able to find out why they needed to apply a patch to fix a GroupWise security problem deemed so serious the firm decided to keep it secret.

Back in August, Novell sent an email to GroupWise 5.5 Enhancement Pack and GroupWise 6 users asking them to apply the Padlock Fix patch to their servers immediately. It wouldn't tell anybody why it was needed, lest hackers exploited the problem on unpatched systems. There was also a patch for client machines, but this was less critical.

Users were left to wonder why the server patch was needed or had to trust Novell that applying it wouldn't mess with their environment. Novell simply warned users about an unstated risk and urged them in the strongest terms to apply a patch.

Three months on, Novell believes the vast majority of customers have applied the patch and has (quietly) posted a security update on its Web site.

The Padlock Fix, it can now be revealed, closes a security flaw which might allow usernames and passwords to be sniffed if a hacker manages to put a protocol analyser between a GroupWise server and client. With the username and password in tow, a cracker can easily enter a user's mailbox.

The bug affects GroupWise when it is operating in either live remote or smart caching mode, but not in either online or batch mode (where usernames and passwords are sent encrypted). The Padlock Fix ensures encryption is used in all circumstances.

Novell said in August that it wasn't aware of any system compromises because of the issue, and that remains the case now. But you can say that about instances when Novell has been more open about security issues. The way Novell choose to handle matters in this case guaranteed user unease and negative headlines.

Novell's argument that any information on the problem needed to be kept secret remains unconvincing and calls to mind Microsoft's attempts to restrict the discussion of security vulnerabilities.

If vulnerabilities are kept secret, vendors are less likely to provide a timely fix. Likewise, keeping information from users doesn't necessarily keep it out of the hands of crackers.

Security isn't just the responsibility of software vendors, nor should it be, and the days when this is a viable strategy are long gone. ®

Update

Novell has been in touch to defend its handling of the Padlock Fix security issue.

Jason Williams, GroupWise product manager, said that a record of downloads from its site and feedback from its partners suggests 95 per cent of its "traceable customers" had implemented the fix. He said this fix "vindicated" Novell's approach, though it doesn't mean Novell will handle every security risk in that way from now on.

Each security fix will be subject to a risk analysis, which is the case of Padlock Fix resulted in an unprecedented decision (for Novell) to withhold details of the bug while supplying a patch to customers. Uppermost in Novell's thinking on Padlock Fix was the need to safeguard customer data, to the extent that Novell was happy to keep its customer in the dark lest the information leak into the hands of crackers.

Novell's Canadian partner Kinetic, which discovered the bug, wasn't bound by any confidentiality agreement and could have published it on a full disclosure mailing list at any time, Williams told us. He agreed that even if that happened any system penetration was still unlikely but steadfastly declined to make any comment about the politics of vulnerability disclosure.

Related Stories

We won't tell you what this patch does, but apply it NOW
MS to force IT-security censorship
MS throttles research to conceal SW bugs
Linux security self-censorship ominous

Related Links

What Padlock Fix does
Essay by Bruce Schneier on full disclosure

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.