Feeds

Light shed on Novell's darkest security secret

Novell explains its Padlock Fix

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

Updated Novell users are at last able to find out why they needed to apply a patch to fix a GroupWise security problem deemed so serious the firm decided to keep it secret.

Back in August, Novell sent an email to GroupWise 5.5 Enhancement Pack and GroupWise 6 users asking them to apply the Padlock Fix patch to their servers immediately. It wouldn't tell anybody why it was needed, lest hackers exploited the problem on unpatched systems. There was also a patch for client machines, but this was less critical.

Users were left to wonder why the server patch was needed or had to trust Novell that applying it wouldn't mess with their environment. Novell simply warned users about an unstated risk and urged them in the strongest terms to apply a patch.

Three months on, Novell believes the vast majority of customers have applied the patch and has (quietly) posted a security update on its Web site.

The Padlock Fix, it can now be revealed, closes a security flaw which might allow usernames and passwords to be sniffed if a hacker manages to put a protocol analyser between a GroupWise server and client. With the username and password in tow, a cracker can easily enter a user's mailbox.

The bug affects GroupWise when it is operating in either live remote or smart caching mode, but not in either online or batch mode (where usernames and passwords are sent encrypted). The Padlock Fix ensures encryption is used in all circumstances.

Novell said in August that it wasn't aware of any system compromises because of the issue, and that remains the case now. But you can say that about instances when Novell has been more open about security issues. The way Novell choose to handle matters in this case guaranteed user unease and negative headlines.

Novell's argument that any information on the problem needed to be kept secret remains unconvincing and calls to mind Microsoft's attempts to restrict the discussion of security vulnerabilities.

If vulnerabilities are kept secret, vendors are less likely to provide a timely fix. Likewise, keeping information from users doesn't necessarily keep it out of the hands of crackers.

Security isn't just the responsibility of software vendors, nor should it be, and the days when this is a viable strategy are long gone. ®

Update

Novell has been in touch to defend its handling of the Padlock Fix security issue.

Jason Williams, GroupWise product manager, said that a record of downloads from its site and feedback from its partners suggests 95 per cent of its "traceable customers" had implemented the fix. He said this fix "vindicated" Novell's approach, though it doesn't mean Novell will handle every security risk in that way from now on.

Each security fix will be subject to a risk analysis, which is the case of Padlock Fix resulted in an unprecedented decision (for Novell) to withhold details of the bug while supplying a patch to customers. Uppermost in Novell's thinking on Padlock Fix was the need to safeguard customer data, to the extent that Novell was happy to keep its customer in the dark lest the information leak into the hands of crackers.

Novell's Canadian partner Kinetic, which discovered the bug, wasn't bound by any confidentiality agreement and could have published it on a full disclosure mailing list at any time, Williams told us. He agreed that even if that happened any system penetration was still unlikely but steadfastly declined to make any comment about the politics of vulnerability disclosure.

Related Stories

We won't tell you what this patch does, but apply it NOW
MS to force IT-security censorship
MS throttles research to conceal SW bugs
Linux security self-censorship ominous

Related Links

What Padlock Fix does
Essay by Bruce Schneier on full disclosure

5 things you didn’t know about cloud backup

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?