Light shed on Novell's darkest security secret

Source: The Register

Novell users are finally able to find out why they needed to apply a patch to fix a GroupWise security problem deemed so serious the firm decided to keep it secret.

Back in August, Novell sent an email to GroupWise 5.5 Enhancement Pack and GroupWise 6 users asking them to apply the Padlock Fix patch to their servers immediately. It wouldn't tell anybody why it's needed, lest hackers exploit the problem on unpatched systems. There was also a patch for client machines, but this was less critical...

Users were left to wonder why the server patch was needed or had to trust Novell that applying it wouldn't mess with their environment. Novell simply warned users about an unstated risk and urged them in the strongest terms to apply a patch

Three months on, Novell believes the vast majority of its clients have applied the patch and has (quietly) posted a security update on its Web site.

The Padlock Fix, it can now be revealed, closes up a security flaw which might allow usernames and passwords to be sniffed if a hacker manages to put a protocol analyser between a GroupWise server and client. With the username and password in tow, a cracker can easily enter a user's mailbox.