Feeds

Light shed on Novell's darkest security secret

Novell explains its Padlock Fix

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Updated Novell users are at last able to find out why they needed to apply a patch to fix a GroupWise security problem deemed so serious the firm decided to keep it secret.

Back in August, Novell sent an email to GroupWise 5.5 Enhancement Pack and GroupWise 6 users asking them to apply the Padlock Fix patch to their servers immediately. It wouldn't tell anybody why it was needed, lest hackers exploited the problem on unpatched systems. There was also a patch for client machines, but this was less critical.

Users were left to wonder why the server patch was needed or had to trust Novell that applying it wouldn't mess with their environment. Novell simply warned users about an unstated risk and urged them in the strongest terms to apply a patch.

Three months on, Novell believes the vast majority of customers have applied the patch and has (quietly) posted a security update on its Web site.

The Padlock Fix, it can now be revealed, closes a security flaw which might allow usernames and passwords to be sniffed if a hacker manages to put a protocol analyser between a GroupWise server and client. With the username and password in tow, a cracker can easily enter a user's mailbox.

The bug affects GroupWise when it is operating in either live remote or smart caching mode, but not in either online or batch mode (where usernames and passwords are sent encrypted). The Padlock Fix ensures encryption is used in all circumstances.

Novell said in August that it wasn't aware of any system compromises because of the issue, and that remains the case now. But you can say that about instances when Novell has been more open about security issues. The way Novell choose to handle matters in this case guaranteed user unease and negative headlines.

Novell's argument that any information on the problem needed to be kept secret remains unconvincing and calls to mind Microsoft's attempts to restrict the discussion of security vulnerabilities.

If vulnerabilities are kept secret, vendors are less likely to provide a timely fix. Likewise, keeping information from users doesn't necessarily keep it out of the hands of crackers.

Security isn't just the responsibility of software vendors, nor should it be, and the days when this is a viable strategy are long gone. ®

Update

Novell has been in touch to defend its handling of the Padlock Fix security issue.

Jason Williams, GroupWise product manager, said that a record of downloads from its site and feedback from its partners suggests 95 per cent of its "traceable customers" had implemented the fix. He said this fix "vindicated" Novell's approach, though it doesn't mean Novell will handle every security risk in that way from now on.

Each security fix will be subject to a risk analysis, which is the case of Padlock Fix resulted in an unprecedented decision (for Novell) to withhold details of the bug while supplying a patch to customers. Uppermost in Novell's thinking on Padlock Fix was the need to safeguard customer data, to the extent that Novell was happy to keep its customer in the dark lest the information leak into the hands of crackers.

Novell's Canadian partner Kinetic, which discovered the bug, wasn't bound by any confidentiality agreement and could have published it on a full disclosure mailing list at any time, Williams told us. He agreed that even if that happened any system penetration was still unlikely but steadfastly declined to make any comment about the politics of vulnerability disclosure.

Related Stories

We won't tell you what this patch does, but apply it NOW
MS to force IT-security censorship
MS throttles research to conceal SW bugs
Linux security self-censorship ominous

Related Links

What Padlock Fix does
Essay by Bruce Schneier on full disclosure

Beginner's guide to SSL certificates

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.