"A claim of a software vulnerability in a program used to connect
securely to servers across the Internet is likely a hoax, according to
an analyst with the SANS Internet Storm Center.
The program,
called OpenSSH (Secure Shell), is installed on tens of millions of
servers made by vendors such as Red Hat, Hewlett-Packard, Apple and
IBM. It is used by administrators to make encrypted connections with
other computers and do tasks such as remotely updating files. OpenSSH
is the open-source version, and there are commercial versions of the
program.
Earlier this week, SANS received an anonymous e-mail
claiming of a zero-day vulnerability in OpenSSH, which means a flaw in
the software is already being exploited as it becomes public. It's the
most dangerous type of software vulnerability since it means there's no
fix for it yet and the bad guys know about it.
A true zero-day
vulnerability in OpenSSH could be devastating for the Internet,
allowing hackers to have carte blanche access to servers and PCs until
a workaround or a patch is readied.
"That's why I think people
are actually creating quite a bit of a panic," said Bojan Zdrnja, a
SANS analyst and senior information security consultant at Infigo, a
security and penetration testing company in Zagreb, Croatia. "People
should not panic right now. Nothing at this time points that there is
an exploit being used in the wild.""
Read more: http://www.pcworld.com/businesscenter/article/168130/dangerous_security_flaw_likely_just_a_hoax.html
Sans Coverage: http://isc.sans.org/diary.html?storyid=6760
