> There is a very strong indication for this being a buffer overflow in a > non-forking daemon, rather than a preemptive IDS strike. The threshold for > the number of characters prompting an overflow; the delayed effect of an > overflow; the fact it is affected only by the last EHLO; and the global > unavailability of the service - all are a clear indication of a classic > b0f related crash. The actual nature of this flaw was a bug that resulted in memory exhaustion. What you uncovered was a DoS that didn't actually affect the security of the system, only the availability. We'd like to stress that this didn't affect our users as the resulting behavior merely delays email. Since we fixed the bug quickly, this didn't happen. > I notified Google today. It is my understanding that they do not routinely > communicate with researchers or the community on security problems in > their code, so I am not coordinating a response in any way. The problem > may or may not be fixed by now. We do read external communications sent to us and are greatly appreciative of any and all reports we receive. As for communicating with others I would hope that recent press articles would alleviate the misconception that we do not work with others. We even post to our company blog (http://www.google.com/googleblog/) about various incidents as necessary. So I am sadly disappointed that you were under the impression we wouldn't take action on your report. Just so that everyone knows, we have an official external email address for reports of this kind: security@xxxxxxxxxx > PS. If that trivial flaw is representative of the quality of server-side > code beyond some of Google services, I would worry - but take this opinion > with a grain of salt. Gmail is a Beta product and we are still working out the kinks! -Heather -- Heather Adkins <hadkins@xxxxxxxxxx> Google Security Team
