August 04, 2004

Upgrade your Putty Clients IMMEDIATELY!

To all the Windows users using Putty for SSH, please upgrade your putty clients IMMEDIATELY.

PuTTY 0.55, released today, fixes a serious security hole which may allow a server to execute code of its choice on a PuTTY client connecting to it. In SSH2, the attack can be performed before host key verification, meaning that even if you trust the server you think you are connecting to, a different machine could be impersonating it and could launch the attack before you could tell the difference.

You can grab the latest version of putty here.

Of course, if you use cygwin and use OpenSSH... you're fine. :)

UPDATE: A reader of the blog pointed out that I am blindly pointing to the executable, which for the paranoid could be a bad thing without explaining what is going on.

You can go to the putty main page to read the news and get the above statement in detail.

Posted by SilverStr at August 4, 2004 11:25 AM | TrackBack


Posted by: Jonathan at August 4, 2004 11:35 AM

I don't wish to appear paranoid, but could you perhaps provide a link to some further info about this? Linking directly to an "updated" executable makes me rather suspicious. At least sign something with your PGP key, or make some attempt at verification.

Meanwhile, I would advise anyone reading this to NOT download anything until it's safe to do so.

Posted by: Jonathan at August 4, 2004 11:36 AM

Sorry. Good point on clarifying this. I will modify the entry accordingly.

Posted by: SilverStr at August 4, 2004 11:59 AM

The vuln is listed in the changelog. I couldn't find the CORE article listed, though.

Posted by: Mike Kolitz at August 4, 2004 12:09 PM

Under fair disclosure, I would gather a window is being provided to get the fix out.

Don't be suprised if you see this hit bugtraq in a few days/weeks.

Posted by: SilverStr at August 4, 2004 12:15 PM


This blog is not supposed to replace YOUR due diligence and patch management strategy as part of your infosec policy.

As I am not the author of putty, you shouldn't expect ME to provide you detailed information (checksums, signed response etc) of anything past a heads up. Which I did. If there would have been more information on bugtraq to corillate or the like I would have included it. However, at this point you probably got about a weeks window AHEAD of the industry here. It only takes a couple of seconds to verify if the intent was real by simply GOING to the putty page and verifying yourself. My addendum to the post, which I modified after your original posts, even linked to the page for you.

I apologize if you believe I have more responsibility here. I am flattered that you believe so, but would like to point out my words here are not a replacement for your CSO.

Posted by: SilverStr at August 5, 2004 07:14 AM

As an update, an advisory was published today from Core Security on the vulnerability. Should start to see exploits for it in the next couple of days now that people have a better understanding of what and how its vulnerable.

You can read the advisory here.

Posted by: SilverStr at August 5, 2004 10:39 AM