New PuTTY version after almost 2 years

The open-source SSH client PuTTY, popular among Windows administrators, was released in a new version last Saturday. This update closes several critical security vulnerabilities. The last version of PuTTY was released around 20 months ago.

Users should update urgently

The newly released version 0.71 was made available for download last Saturday, March 16, 2019.

PuTTY is available as a 32- and 64-bit MSI installer package as well as a source archive. As is customary with PuTTY, all components of the package can also be downloaded individually as executables.

Based on the security vulnerabilities listed and fixed in the changelog, we can only strongly recommend updating all PuTTY clients.

As with any security-relevant software, the digital fingerprints (hashes) should be verified. Alternatively, the author team also provides GPG signatures to verify the authenticity of the archives. Furthermore, you should not download this tool from third-party, unknown sources. Security-relevant open-source software in particular is often used by unverified third-party sources to introduce modified and sometimes malicious software into systems.

You can find more information on the official project homepage.

EU funding program for the security of open-source software

With the EU-FOSSA funding program, in which the European Commission offered rewards for submitted bugs in a selection of open-source software, PuTTY was also included in the latest round. For the period from January 16, 2019 to December 15, 2019, a total reward of €90,000 was offered for PuTTY for reported security vulnerabilities.

As a result of this program, the PuTTY authors are closing five security vulnerabilities with the current release that were submitted to EU-FOSSA:

• Before host key verification, memory can be overwritten remotely during the RSA key exchange
• Possible reuse of random numbers for encryption
• On Windows, an attacker can manipulate a help file and thus gain control of PuTTY
• On Unix systems, a remotely triggered buffer overflow can be triggered
• Various denial-of-service attacks by writing to the terminal

More information about the bug bounty program is available here.

Further bug fixes by the author team

In addition to the bugs reported via EU-FOSSA, the team is fixing further issues and delivering improvements in the areas of security and usability.

Overall, the EU program suggests that further fixes can be expected over the course of 2019, after PuTTY development had become quieter.

PuTTY is embedded in many programs

It should also not be forgotten that PuTTY, as open-source software, is indeed used directly or indirectly in other products. For example, there is the Multi-PuTTY-Manager, which uses an existing PuTTY installation. Here, too, it is important to remember to update the PuTTY installation to close the security vulnerabilities. The same naturally applies to AutoPutty and similar tools.

Also important is software that integrates PuTTY or parts of it permanently or invisibly for the user. One example is WinSCP, which uses the PuTTY package component PageAnt. In this case, it may be necessary to wait for a new release of the software.

The PuTTY authors maintain a list of software that includes PuTTY.