Re: ISS Apache Advisory Response

["Kevin Spett" <kspett () spidynamics com>]

> 1)      Our policy for publishing advisories is to give a vendor 30 to 45
> day quiet period to provide an opportunity to create a patch or work
around.
> If an exploit for the vulnerability appears in the wild, or a patch and
> work-around is provided by the vendor or ISS X-Force, this quiet period is
> disregarded and the ISS X-Force advisory is published immediately.
>
> In the case of this advisory, ISS X-Force provided an Apache patch and did
> not see a need for a long quiet period.
> 2)      The original ISS X-Force Apache Patch did work properly against
the
> specific vulnerability described by X-Force, despite claims that it did
not.
> The Apache and CERT advisories on their websites have been corrected to
> reflect this.

If you confirm things with the vendor first, you won't have the kind of
confusion that ensued.  When WebInspect users called me asking what we meant
by "the patch supplied by ISS is disputed by the Apache Software Foundation"
I had to explain to them that basically they had the choice of shutting down
their production servers or deciding to trust a patch that wasn't confirmed
by Apache.  I'm sure many other security professionals and system
administrators had similar experiences.

> 3)      ISS was not aware of other researchers discovering this
> vulnerability nor aware of it in the wild at the time of the release of
the
> advisory.
> 5)      The Gobbles' exploit has confirmed our decision to release as soon
> as possible based on our assumption that others were likely to discover
the
> same vulnerability in the wild.

Did you assume that other people had discovered this or not?  Playing this
"Well, we had no PROOF that is was known but we ASSUMED that it did so we
can behave in whatever way we want and justify it with either one" game is
silly.

> 6)      We do not view this as a race to beat other researchers to
releasing
> an advisory, but a race to protect our customers in a timely manner.

Chris Rouland's statements to CNN
(http://www.cnn.com/2002/TECH/industry/06/18/computer.security.ap/index.html
) make me doubt this:
"Complicating the matter, Rouland said he didn't trust Cox, who along with
his Apache duties is the senior director of engineering at Red Hat Software,
which distributes the Linux operating system. Rouland accused Red Hat of
taking credit for earlier ISS research. "
This is clearly simple, petty jealousy before responsibility.  You want
credit just like everyone else does, of course, but come on... And Apache
did give proper credit after all.
(http://httpd.apache.org/info/security_bulletin_20020620.txt)

> Due to the general nature of open-source and its openness, the virtual
> organizations behind the projects do not have an ability to enforce strict
> confidentiality.  By notifying the open source project, its nature is that
> the information is quickly spread in the wild disregarding any type of
quiet
> period.  ISS X-Force minimizes the quiet period and delay of protecting
> customers by providing a security patch.

This is obviously ridiculous.  It sounds like something Microsoft would say
in one of their FUD campaigns.  This gist here is that open-source software
projects are inherently incapable of confidentiality in dealing with
sensitive issues.  I suppose all of the Apache users in the world would have
instantly known if you had sent an email to the lead developers?  Throwing
out garbage terminology like "virtual organizations" is marketting and
business talk that doesn't belong on Bugtraq.  I know just as well as anyone
else reading this list that any organization is made up of people and people
can be dealt with like people.  If the group of people that had known about
the issue had gotten large enough that it spread to someone that developed
an exploit using this new information and the exploit in turn began to
spread and was being used in the wild, you could've released the advisory
THEN.  But X-Force didn't even bother.  In any case, the WORST that would've
happened is that a whole bunch of people would've found out about the
vulnerability before there was a known and confirmed patch available-- which
was exactly what happened when X-Force DIDN'T notify Apache.  If your above
theory held water (and assuming Mark Cox wasn't lying) we all would've known
about the vulnerability before three days ago because it was previously
reported.  Clinging to that argument after the fact is absurd.



Kevin Spett
SPI Dynamics, Inc.
http://www.spidynamics.com