Conan
June 8th, 2004, 11:13 AM
I read this article of The Inquirer:
http://www.theinquirer.net/?article=16298
So I flamed the Editor cause I was also using a Linksys BEFSR41 Router and I had just updated my firmware last April 2004. Here is the e-mail exchange:
-----Original Message-----
From: Conan
Sent: 07 June 2004 16:16
To: mike.magee@theinquirer.net
Subject: Linksys Router Article
You must be a complete idiot at searching for BEFSR41 firmware. My BEFSR41 is using firmware created on April 1, 2004. http://www.linksys.com/download/firmware.asp?fwid=183
----------------------------------------------------------------
Mike Magee wrote:
I am not a complete idiot, only 92% an idiot. But I'll forward your tasty little morsel to Fernando, who wrote the article, who can answer for himself.
Mike Magee
----------------------------------------------------------------
[Note to editor: Oh Sheesh!!]
Dear Reader:
FYI: There are three flavors of the Linksys BEFSR11 (and BEFSR41) routers.
There is hardware "version 1", "version 2" and "version 3". The "version 3" was produced AFAIK after Linksys was engulfed by Cisco. That April 1, 2004 firmware is for VERSION 3 hardware ONLY. If you read the exploit linked from my original article you will find in the comments the phrase "tested against a fully patched BEFSR41" and that exploit is dated mid-may. Chances are, whoever wrote it tested it against a BEFSR41 but of the "v2" or "v1" hardware revision variety.
There are thousands of "v2" and "v1" BEFSR41 and BEFSR11 in use around the world right-this-minute (like mine), and those WERE OPEN AND VULNERABLE to the BOOTP/memleak security hole. At the moment I wrote the original article the firmware for v1 and v2 routers was not updated by Linksys since mid-2003.
Only on June 3, 2004 (one day after our article) did Linksys acknowledge the issue and promised an update for v1 and v2 hardware, which was released finally yesterday June 7th. That's why there's now firmware version 1.45.11, dated Jun 03 2004. Which fixes not only the BOOTP sniffing hole but several others.
I invite you to read the follow-up article at
Linksys routers can't be sniffed at no more
Firmware upgrades for all
http://www.theinquirer.net/?article=16416
I also invite you to please not call our editor an idiot, as that is reserved for INQ staff only.
Thanks for reading and taking the time to amuse us.
Fernando Cassia
http://www.theinquirer.net/?article=16298
So I flamed the Editor cause I was also using a Linksys BEFSR41 Router and I had just updated my firmware last April 2004. Here is the e-mail exchange:
-----Original Message-----
From: Conan
Sent: 07 June 2004 16:16
To: mike.magee@theinquirer.net
Subject: Linksys Router Article
You must be a complete idiot at searching for BEFSR41 firmware. My BEFSR41 is using firmware created on April 1, 2004. http://www.linksys.com/download/firmware.asp?fwid=183
----------------------------------------------------------------
Mike Magee wrote:
I am not a complete idiot, only 92% an idiot. But I'll forward your tasty little morsel to Fernando, who wrote the article, who can answer for himself.
Mike Magee
----------------------------------------------------------------
[Note to editor: Oh Sheesh!!]
Dear Reader:
FYI: There are three flavors of the Linksys BEFSR11 (and BEFSR41) routers.
There is hardware "version 1", "version 2" and "version 3". The "version 3" was produced AFAIK after Linksys was engulfed by Cisco. That April 1, 2004 firmware is for VERSION 3 hardware ONLY. If you read the exploit linked from my original article you will find in the comments the phrase "tested against a fully patched BEFSR41" and that exploit is dated mid-may. Chances are, whoever wrote it tested it against a BEFSR41 but of the "v2" or "v1" hardware revision variety.
There are thousands of "v2" and "v1" BEFSR41 and BEFSR11 in use around the world right-this-minute (like mine), and those WERE OPEN AND VULNERABLE to the BOOTP/memleak security hole. At the moment I wrote the original article the firmware for v1 and v2 routers was not updated by Linksys since mid-2003.
Only on June 3, 2004 (one day after our article) did Linksys acknowledge the issue and promised an update for v1 and v2 hardware, which was released finally yesterday June 7th. That's why there's now firmware version 1.45.11, dated Jun 03 2004. Which fixes not only the BOOTP sniffing hole but several others.
I invite you to read the follow-up article at
Linksys routers can't be sniffed at no more
Firmware upgrades for all
http://www.theinquirer.net/?article=16416
I also invite you to please not call our editor an idiot, as that is reserved for INQ staff only.
Thanks for reading and taking the time to amuse us.
Fernando Cassia