Re: a holiday gift from Robert "wormer" Morris


David Emberson (ember!dre@sun.com)
15 Nov 88 00:58:44 GMT


I wish to clarify my recent statement that I knew about this security hole in
sendmail. Apparently some people have taken this to mean that Sun Microsystems
knew about a problem in their software and deliberately shipped a sendmail with
a security hole. This is not the case.

At the time that Matt Bishop told me of this bug (1984), we were both employed
by Megatest Corporation. I ran the computer engineering group there, and Matt
was a member of the group. We were a beta site for Berkeley's Unix group.
Matt's research interest is in security, and that is how I found out about this
bug. It was my understanding that the sendmail trapdoor was reported to
Berkeley in 1984 and fixed in 4.3BSD.

I have been employed by Sun Microsystems since January of this year. At no
time did anyone in the software group know that the sendmail trapdoor could
be used to breach security. If the bug had been properly reported, it most
certainly would have been fixed. When Sun finally did become aware of the
security problems, reaction was swift and effective. I think the work that
Chuq Von Rospach did in getting patches through the system in only a few
days (through a thorough software QA process) is representative of the kind
of responsiveness that Sun strives for and generally provides.

Paul Vixie of DEC Western Research Labs also posted a note to this network
stating that he knew of the sendmail problem:

>From sun!decwrl!vixie Sun Nov 6 11:36:10 1988
>Subject: Re: a holiday gift from Robert "wormer" Morris
>Organization: DEC Western Research Lab

># the hole [in sendmail] was so obvious that i surmise that Morris
># was not the only one to discover it. perhaps other less
># reproductively minded arpanetters have been having a field
># 'day' ever since this bsd release happened.
>
>I've known about it for a long time. I thought it was common knowledge
>and that the Internet was just a darned polite place. (I think it _was_
>common knowledge among the people who like to diddle the sendmail source.)
>
>The bug in fingerd was a big surprise, though. Overwriting a stack frame
>on a remote machine with executable code is One Very Neat Trick.
>--
>Paul Vixie
>Work: vixie@decwrl.dec.com decwrl!vixie +1 415 853 6600

So, I suppose that it is technically true that the knowledge of this problem
existed both inside of DEC and Sun, but it was never reported via a formal
bug report, so it apparently fell through the cracks at both companies. In
my case, I thought the problem no longer existed. So I was very surprised to
see this trapdoor exploited by the worm. It did not seem to me like I was
impugning the quality of anyone's work to say, "Oh yeah. I knew about that."
I did not think it necessary to say that my statements are not official
statements of Sun Microsystems, Inc. I thought that was obvious. In any case,
I sincerely apologize to the very fine team in Sun's software group for this
misunderstanding.

                        Dave Emberson (dre@sun.com)



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:30 GMT