Re: CERT Vendor-Initiated Bulletin VB-98.04 - xterm.Xaw

[bostic () BSDI COM (Keith Bostic)]

I don't have much to say about The Open Group taking X private.  I don't
like it, but that's neither here nor there.

My concern is that CERT has let itself be used as a marketing tool.

To be fair, I believe it was accidental.  There are two types of CERT
postings: advisories and vendor initiated bulletins.  The former are what
gets passed around among vendors before CERT releases the information,
and they contain exploit information.  They usually concern common code
that lots of systems share, and for that reason are of interest to
multiple vendors.

The latter are precisely what the name implies -- vendors give the CERT
information and CERT disseminates information as to where patches are
available to users of those systems.  The idea is that vendor-initiated
bulletins are specific to a vendor, so there's no reason to provide
exploit information to other vendors.

What happened in this case was that The Open Group gave CERT a vendor
bulletin, but it was concerned code shared by other vendors.  Because the
problems were in common code and the bulletin explicitly stated that the
common versions were vulnerable, the bulletin's message became "there's
a security problem in your systems, and if you don't buy software from
us, your children will eventually have to beg for food in the streets."

This is a slippery slope.

When BSDI finds a security problem in common code, we tell CERT about it,
and we provide exploit code to them, because we know that when CERT finds
out about problems in common code from Sun or FreeBSD, we'll get exploit
code from them.

This only works if all the vendors play by the same rules.  If the rules
have changed, I think you can confidently expect to see vendor initiated
bulletins from BSDI that read something like:

    We have found a horrible, awful life-threatening problem
    in the TCP/IP stack, and Solaris is vulnerable!  If you
    don't buy BSDI systems, hackers will have cancelled all
    of your credit cards by tomorrow evening.  Nyah, nyah, nyah!

Again, I believe this was accidental on CERT's part, and I don't think
it had to have been malicious on The Open Group's part.  Holding back
information for a week while your customers get a preview is something
that most companies have done from time to time.

That said, we have a problem, and both CERT and The Open Group need to
fix it:

    1. The Open Group should immediately release full information for
       the X bugs they've reported (including exploits), to CERT.

    2. CERT should immediately circulate that information to the usual
       vendors/groups.

    3. CERT should publicly state that their policy is that vendor
       initiated bulletins should not concern common code shared by
       vendors, and advisories about common code should include
       information sufficient for other vendors to fix their systems.

Obviously, in the future, The Open Group can choose not to send exploit
information to CERT, that's their choice.  Alternatively, The Open Group
can send CERT vendor-initiated bulletins, but in that case, they should
not mention code that is used by other groups, regardless of other groups
being at risk.

CERT cannot function as it has up to now, if it permits itself to be
put in the position of providing a marketing advantage to a vendor.

So... I'd suggest if you haven't already done so, call CERT and let them
know that you're concerned.  There's a problem here, and it needs to be
fixed.

Keith Bostic
        BSDI                            bostic () bsdi com