---

OpenSSH update (Zero-day exploit?)

“So, I’m not pursuaded that an 0day exists at all. The only
evidence so far are some anonymous rumours and unverifiable
intrusion transcripts.

“Speculating as to what an exploit, should it exist, might
consist of:

“The two issues of note that have been fixed since openssh-4.3
are the aforementioned signal race (in 4.4) and a privsep signature
verification weakness (in 4.5). I doubt that it is the race
condition as not even Mark Dowd was able to make an working exploit
from it. The privsep weakness could be used to escalate privilege
out of some other unknown flaw, but it would not grant access by
itself.”

Complete Story

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis