FOR IMMEDIATE RELEASE
8/21/97
Blue World Updates Lasso to Address Security Hole Discovered in “Crack a
Mac” Contest; Informs and Assists Other Developers
Bellevue, WA – Internet software developer Blue World Communications, Inc.
has released a revision to Lasso to address a security hole present in
Lasso and several other Mac OS Web server products that was discovered
during the Web-wide “Crack a Mac” contest (http://hacke.infinit.se). Within
24 hours of the discovery, Blue World posted a fix and notified its
customers. It has since released a revised x.x.3 patch to further enhance
security, and posted a new version of the free Lasso Lite product.
This patch, along with changes currently being made to other Mac OS
Internet products, restores the Mac OS platform to a position it has held
for over two years as the most secure and easiest to maintain platform for
Web serving.
“To date, we are unaware of any Lasso customers whose security has been
compromised solely due to Lasso,” states Blue World President & CEO Bill
Doerrfeld. “Given that Internet security is a hot topic with implications
often exaggerated or misinterpreted, we are pleased to have been able to
provide a patch for this hole within 24 hours.”
The presence of this hole combined with how other products handled security
contributed to someone ‘winning’ the ‘Crack a Mac’ website security
challenge. By using an obscure and previously unknown method, a remote
visitor was able to point Lasso to serve a lightly protected password file
used by another vendor’s product. This product relied upon yet another
product’s undocumented (in its API specification) approach which protects
certain files through file modification. Prior to the security patch, Lasso
did not support this little-used approach. By gaining access to the lightly
protected password file, someone was easily able to use that vendor’s
product to log in and edit the contents of a web page, thereby successfully
cracking the Web server.
Blue World has volunteered to pay the full amount of the challenge prize
(approximately $12,000) to the party who discovered the hole. Doerrfeld
said, “We feel that volunteering to pay the prize money was the right thing
to do no matter how many products were involved. We also are delighted that
this enabled this important competition to quickly get back on track.” The
Lasso security patch Blue World provided the host for the competition
allowed them to immediately renew the competition, now more secure than
ever.
“The recent ‘Crack a Mac’ security breach has inspired much closer
examination of obscure methods for compromising security on a Web server”,
states Doerrfeld. “A number of products have already been identified as
containing holes either similar or exactly the same in scope and effect as
the flaw recently discovered and fixed in our Lasso product. We have every
intent to assist these vendors with knowledge we have gained. We applaud
the efforts of those in the tight-knit, fast-paced Mac OS Internet
community who demonstrate rare cooperation in rapidly dealing with problem
resolution.”
For details on the Lasso security hole along with links to the update
patch, visit http://www.blueworld.com/lasso/security_update.html.
About Blue World Communications, Inc.
Blue World Communications (www.blueworld.com) provides a complete line of
Internet business solutions with a special emphasis on FileMaker Pro as
part of its mission of “bringing business to the internet.” Blue World’s
products include Lasso 2.0 and MailMan, the FMPro.Net service, and custom
programming services for complete Web site solutions. Blue World, based in
Bellevue, WA, is a privately held company founded in 1990.
