lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Draft CERT bulletin (was Re: LYNX-DEV security.html)

From: David Woolley
Subject: Re: Draft CERT bulletin (was Re: LYNX-DEV security.html)
Date: Wed, 9 Jul 1997 00:22:52 +0100 (BST) 
This draft has too much exploit detail, in the first case, to fit
the style for CERT bulletins.  CERT work on the security by obscurity
principle, so bulletins limit themselves to the scope of the problem
(which version, operating systems/operating system characteristics) and
the final results of an attack (e.g. overwrite files owned by anyone who
uses Lynx).  They then describe specific avoidance techniques without
explaining how they work.

This doesn't stop people who understand how security holes work from working
out their own attacks, but most exploiters of security holes are following
cook book methods, so, if the hole is blocked before the cook book is written,
relatively few systems get compromised.

The second one is better in this respect, but stresses the avoidable 
variation, when the variation which cannot be disabled is the killer; the
only really satisfactory advice in this case is to cease using Lynx until
the new version has been obtained (or possiblly to describe in detail how
to protect Lynx with chroot, although the scope for getting this wrong is
arguably too high).

In many cases, the avoidable one would be considered a local user attack, 
whereas the unavoidable one is a remote attack by an unknown person.

In particular, the term webmaster tends to imply a responsible person, but
the high risk pages are those in the "free" web space areas provided by ISPs
and in ~user areas.  These are generally not vetted by the webmaster.


I haven't checked the URLs given, but those most at risk are likely to be
those using pre-compiled binaries, so it is more or less essential that 
pointers to pre-compiled versions for likely operating systems are given
(I would suggest that Linux, SCO (all versions), and Solaris need to be
given, as the very minimum - in fact, any system where either the development
system is unbundled, or it is used by people without a Unix background,
needs to be included).

The other common practice on CERT bulletinns is to include the MD5
checksum (and possibly PGP) of the relevant fixed versions, so that people
can be sure they have a legitimate copy.
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]