When is a 0day in OpenSSH not a 0day? When it's local exploit code. Not the kind that exploits a vulnerability in the system you are logged into, to escalate privilege for example. The kind that takes advantage of potential vulnerabilities in the gray matter between your ears to make a mess of your local system. A reader wrote in to advise us of a potential 0day in the current version of OpenSSH 5.3/5.3p1 released Oct 1, 2009.
He provided a link to a blog post which has what appears to be exploit code. Unfortunately the first thing I did, before I looked at the code, was fire off an email to the OpenSSH list. They responded quite quickly that "It's pretty clear that the code just exploits your local machine...". Woops. A follow up email says "Looks like a rehash of the fake "exploit" from last July." So, the good news is, there does not appear to be a 0day on OpenSSh making the rounds. The bad news is, if you ran the code you are rebuilding your system. Worse still, if you emailed all your friends pointing to the 'exploit' code, well, now you look rather foolish.

Lesson one to me, always check things out.

Do the research and analysis before crying wolf. Fortunately no harm done. This has to be balanced against the requirement for timeliness of information flow along a contact tree. In this case I erred on the side of alerting quickly.

The link for this article located at SANS is no longer available.