Feeds

Light shed on Novell's darkest security secret

Novell explains its Padlock Fix

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

Updated Novell users are at last able to find out why they needed to apply a patch to fix a GroupWise security problem deemed so serious the firm decided to keep it secret.

Back in August, Novell sent an email to GroupWise 5.5 Enhancement Pack and GroupWise 6 users asking them to apply the Padlock Fix patch to their servers immediately. It wouldn't tell anybody why it was needed, lest hackers exploited the problem on unpatched systems. There was also a patch for client machines, but this was less critical.

Users were left to wonder why the server patch was needed or had to trust Novell that applying it wouldn't mess with their environment. Novell simply warned users about an unstated risk and urged them in the strongest terms to apply a patch.

Three months on, Novell believes the vast majority of customers have applied the patch and has (quietly) posted a security update on its Web site.

The Padlock Fix, it can now be revealed, closes a security flaw which might allow usernames and passwords to be sniffed if a hacker manages to put a protocol analyser between a GroupWise server and client. With the username and password in tow, a cracker can easily enter a user's mailbox.

The bug affects GroupWise when it is operating in either live remote or smart caching mode, but not in either online or batch mode (where usernames and passwords are sent encrypted). The Padlock Fix ensures encryption is used in all circumstances.

Novell said in August that it wasn't aware of any system compromises because of the issue, and that remains the case now. But you can say that about instances when Novell has been more open about security issues. The way Novell choose to handle matters in this case guaranteed user unease and negative headlines.

Novell's argument that any information on the problem needed to be kept secret remains unconvincing and calls to mind Microsoft's attempts to restrict the discussion of security vulnerabilities.

If vulnerabilities are kept secret, vendors are less likely to provide a timely fix. Likewise, keeping information from users doesn't necessarily keep it out of the hands of crackers.

Security isn't just the responsibility of software vendors, nor should it be, and the days when this is a viable strategy are long gone. ®

Update

Novell has been in touch to defend its handling of the Padlock Fix security issue.

Jason Williams, GroupWise product manager, said that a record of downloads from its site and feedback from its partners suggests 95 per cent of its "traceable customers" had implemented the fix. He said this fix "vindicated" Novell's approach, though it doesn't mean Novell will handle every security risk in that way from now on.

Each security fix will be subject to a risk analysis, which is the case of Padlock Fix resulted in an unprecedented decision (for Novell) to withhold details of the bug while supplying a patch to customers. Uppermost in Novell's thinking on Padlock Fix was the need to safeguard customer data, to the extent that Novell was happy to keep its customer in the dark lest the information leak into the hands of crackers.

Novell's Canadian partner Kinetic, which discovered the bug, wasn't bound by any confidentiality agreement and could have published it on a full disclosure mailing list at any time, Williams told us. He agreed that even if that happened any system penetration was still unlikely but steadfastly declined to make any comment about the politics of vulnerability disclosure.

Related Stories

We won't tell you what this patch does, but apply it NOW
MS to force IT-security censorship
MS throttles research to conceal SW bugs
Linux security self-censorship ominous

Related Links

What Padlock Fix does
Essay by Bruce Schneier on full disclosure

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.