Bad news: Exim hole was going to be patched on Xmas Day. Good news: Keyword 'was'

Code release for info-leak bug brought forward

Updated An information-leaking security hole in widely used email agent Exim – scheduled for repair on Christmas Day – may now be publicly patched earlier, possibly as soon as Friday.

System administrators were stunned by the suggestion that a patch for the vulnerability would be released on December 25 when pretty much everyone working in IT will have the day off.

An Exim maintainer, Heiko Schlittermann, admitted the timing of the release wasn’t ideal and suggested that holding up the release until after the Christmas festivities would be worse.

“We're very sorry for the unfortunate timing,” said Schlittermann. “We got the vulnerability report on Dec 15th, and requested the CVE on 16th. On 18th the patch was ready and passed our tests. We added 7 days to give the distros a chance to prepare their packages and this made up the 25th.

“And yes, we know, it is holiday in many countries. The decision wasn't an easy one. Delaying some days more would probably hit New Year celebration."

In the end, Exim's developers spoke to software distribution makers about hurrying along the bugfix release, and it was decided to bring the update forward to Friday, December 23.

Christmas is saved and sysadmins not providing on-call coverage on December 25 and 26 can stick to their plans, whether that's spending time with family, or getting drunk with friends, or sitting at home alone reinstalling Kubernetes, or perhaps all three.

The seriousness of the bug that’s going to be fixed remains unclear, although Schlittermann did suggest that the “impact of the update should be very minimal.” The revised software will go from 4.87 to 4.87.1, implying a minor step update.

“From what's been said so far, I've no idea how bad the underlying bug might be,” said El Reg reader Ben T, who tipped us off. “It might simply be that you can get disclosure of addresses that have been passed through (which still isn't great), or might be something worse like being able to get the private key used for TLS.”

There's only a placeholder on Exim’s bug tracker for the flaw, designated CVE-2016-9963. ®

Updated to add on December 23

Actually, due to a distro not being ready in time, the release date will be December 25. Doh!

Broader topics

Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading

Biting the hand that feeds IT © 1998–2022