Wow. Technology news makes CNN. A vulnerability in Sendmail could allow users to get root access to a system. The flaw was discovered yesterday by ISS, and the group was quick to point out that there wasn’t any know exploit for the bug.

I watched this play out on the Bugtraq list, and it was truly amazing how quickly the vendors responded. Within an our of the post by ISS about the exploit, there were posts indicating that patches were available for most OS distributions. Part of this was due, it seems, from our government. The Department of Homeland Security coordinated the release of the exploit with ISS to allow the vendors time to get a patch complete (which makes good sense to me). According to the CNET article, the bug was found mid-January, and since there wasn’t a known exploit for it, DHS decided to allow the vendors to work without a public announcement (which would then give crackers a chance to find an exploit. Hopefully this will be model of how bugs are handled in the future (though we could do without big brother calling the shots).

Posted on 5 March 2003