BIND 9 Exploit
Darrin Chandler
dwchandler at stilyagin.com
Thu Jul 26 06:55:02 MST 2007
No, this case isn't luck of the draw. The vulnerable algorithm was
looked at and judged to be too unproven, so an alternate was used. This
is a case of proactive security.
Of course OpenBSD has had, and will have exploits. They're just very
rare: two remote holes in over 10 years. There have been more local
exploits, but still a small number comparatively. The small number of
vulnerabilities is a direct result of extensive code audits of the base
system plus attack mitigation techniques. Do you really think that if
competent developers focus hard on code quality and security that there
will be no payoff? Of course there is a payoff.
And... in the security world, OpenBSD isn't exactly a low profile
target. Finding an exploit for OpenBSD is quite a feather in the cap of
a security researcher, whether professional, academic, or blackhat.
My one-line jab wasn't really meant to start this conversation. Really.
I'm not trying to say that Linux is a horribly insecure system. It's
not. I'm just saying people should patch their systems.
On Wed, Jul 25, 2007 at 11:32:09PM -0700, Dan Lund wrote:
> Eh, there's just less of a market visibility for OpenBSD, so it's not aimed at.
> It's merely luck of the draw in this case, however.
>
> On 7/25/07, Jim <arizona.anorak at gmail.com> wrote:
> > Give them time and they'll come up with a way to hack your OpenBSD boxen.
> >
> > Darrin Chandler wrote:
> > > As many of you are aware, there's been an exploit published for bind 9.
> > > Patches are available, so check for updates for your *BSD and/or Linux
> > > boxen.
> > >
> > > Unless you're using OpenBSD, of course. ;-)
> > >
> > > http://undeadly.org/cgi?action=article&sid=20070725193920
> > >
> >
> > --
> >
> >
> > "That income tax you know it's nothing more than legal robbery"
> > Sidney "Pa" Larkin
> >
> > The magic HD-DVD number is:
> > 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
>
>
> --
> "Courage is like love; it must have hope to nourish it."
> -Napoleon Bonaparte
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
--
Darrin Chandler | Phoenix BSD User Group | MetaBUG
dwchandler at stilyagin.com | http://phxbug.org/ | http://metabug.org/
http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
More information about the PLUG-discuss
mailing list