Path: utzoo!attcan!uunet!seismo!sundc!pitstop!sun!ember!dre From: dre%ember@Sun.COM (David Emberson) Newsgroups: comp.protocols.tcp-ip Subject: Re: a holiday gift from Robert "wormer" Morris Summary: Clarification of my statements... Message-ID: <77604@sun.uucp> Date: 15 Nov 88 00:58:44 GMT References: <1698@cadre.dsl.PITTSBURGH.EDU> <2060@spdcc.COM> <76424@sun.uucp> <699@tank.uchicago.edu> Sender: news@sun.uucp Distribution: na Lines: 55 I wish to clarify my recent statement that I knew about this security hole in sendmail. Apparently some people have taken this to mean that Sun Microsystems knew about a problem in their software and deliberately shipped a sendmail with a security hole. This is not the case. At the time that Matt Bishop told me of this bug (1984), we were both employed by Megatest Corporation. I ran the computer engineering group there, and Matt was a member of the group. We were a beta site for Berkeley's Unix group. Matt's research interest is in security, and that is how I found out about this bug. It was my understanding that the sendmail trapdoor was reported to Berkeley in 1984 and fixed in 4.3BSD. I have been employed by Sun Microsystems since January of this year. At no time did anyone in the software group know that the sendmail trapdoor could be used to breach security. If the bug had been properly reported, it most certainly would have been fixed. When Sun finally did become aware of the security problems, reaction was swift and effective. I think the work that Chuq Von Rospach did in getting patches through the system in only a few days (through a thorough software QA process) is representative of the kind of responsiveness that Sun strives for and generally provides. Paul Vixie of DEC Western Research Labs also posted a note to this network stating that he knew of the sendmail problem: >From sun!decwrl!vixie Sun Nov 6 11:36:10 1988 >Subject: Re: a holiday gift from Robert "wormer" Morris >Organization: DEC Western Research Lab ># the hole [in sendmail] was so obvious that i surmise that Morris ># was not the only one to discover it. perhaps other less ># reproductively minded arpanetters have been having a field ># 'day' ever since this bsd release happened. > >I've known about it for a long time. I thought it was common knowledge >and that the Internet was just a darned polite place. (I think it _was_ >common knowledge among the people who like to diddle the sendmail source.) > >The bug in fingerd was a big surprise, though. Overwriting a stack frame >on a remote machine with executable code is One Very Neat Trick. >-- >Paul Vixie >Work: vixie@decwrl.dec.com decwrl!vixie +1 415 853 6600 So, I suppose that it is technically true that the knowledge of this problem existed both inside of DEC and Sun, but it was never reported via a formal bug report, so it apparently fell through the cracks at both companies. In my case, I thought the problem no longer existed. So I was very surprised to see this trapdoor exploited by the worm. It did not seem to me like I was impugning the quality of anyone's work to say, "Oh yeah. I knew about that." I did not think it necessary to say that my statements are not official statements of Sun Microsystems, Inc. I thought that was obvious. In any case, I sincerely apologize to the very fine team in Sun's software group for this misunderstanding. Dave Emberson (dre@sun.com)