RE: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 andBIND8 (fwd)

["Russ" <Russ.Cooper () rc on ca>]

Is this the sort of disclosure we can expect based on the (OIS) Organization for Internet Safety's "code of conduct" 
and/or "best practices" for vulnerability disclosure?

ISS is a founding member of OIS, together with @stake, Bindview, Caldera, Foundstone, Guardent, Microsoft, NAI, Oracle, 
SGI, and Symantec (Symantec owns SecurityFocus).

> From [2]OIA FAQ page;
"OIS was formed as a unique partnership between leading security researchers and vendors, for the purpose of 
proposing"..."processes for handling security vulnerabilities."

"OIS is committed to public review and comment on all proposed processes.", therefore, I submit this public review and 
comment on a process used by one of its founding members.

"Does OIS support pre-disclosure of vulnerability information to select groups? No. We believe the software author 
should be given a chance to create a fix before vulnerability information is made public, but that there should be no
further distribution of that information until the fix is complete."

> From [4]ISS X-Force Advisory;
"The vulnerabilities described in this advisory affect nearly all currently deployed recursive DNS servers on the 
Internet."

and

The following ISS updates and product releases address the issues described in this advisory. These updates are 
available from the ISS Download Center (http://www.iss.net/download):

RealSecure Network Sensor XPU 20.7 and XPU 5.6
Internet Scanner XPU 6.20
RealSecure Guard 3.1 ebs
RealSecure Sentry 3.1 ebs
RealSecure Server Sensor 6.5 SR 3.3
System Scanner SR 3.08

ISS says that the ISC, which is the reference implementation of the affected BIND versions, has made patches available. 
However, the ISC website[3] tells visitors that they must email them to "speak to ISC about patches", and indicate that 
new releases of the affected versions are "coming soon". BIND 8.3.3. is still recommended and available on the ISC 
site, despite the fact its affected by all three of the vulnerabilities cited by ISS. This hardly constitutes them 
having "made patches available".

There are also hundreds of BIND implementations that are affected beyond the ISC implementation, and none of those 
vendors have any indications of patches for this issue (or even information about this issue). A quick check of all of 
the vendors listed on the ISC' "Vendor products based on BIND" page shows that none of them have anything up about the 
issues, whether it affects their products, etc... this includes Nortel, Lucent, Checkpoint and others.

> From [2]OIS FAQ page;
"Does OIS exchange non-public vulnerability information amongst its membership? No. The OIS Code of Conduct prohibits 
the distribution of vulnerability information to anyone other than the discoverer and the software author."

ISS had no trouble using this information to update all of their products, clearly they distributed the vulnerability 
information to all of their product teams, possibly 100's of people, in violation of the OIS "code of conduct".

> From [2]OIS FAQ page;
"What does OIS think about the auctioning or selling of non-public vulnerability information? We believe that it is 
unethical to intentionally make one person more vulnerable than another."

Clearly, anyone who is not using all of ISS' products are more vulnerable than anyone else, if you have a vulnerable 
BIND server in your environment. I'd call that "selling of non-public vulnerability information", wouldn't you? This is 
class SYN-Flooding tactics.

It is also worth pointing out that ISS is the coordinator for the ISP ISAC. Such a role should be played by someone who 
is beyond reproach when it comes to the ethics of security vulnerabilities. In ISS' case they can probably not worry 
too much about their members being upset since the vast majority of ISPs are likely running unaffected versions of BIND.

However, the vast majority of Corporate America, not to mention companies, educational institutions, and smaller ISPs 
around the world ARE affected. Our analysis shows that an attack based on these vulnerabilities will be trivial, and 
that upgrading to BIND 9.x will not be a quickly adopted path.

One tries to assume that ISS felt this information was going to leak to the public soon and, therefore, needed to 
publish the alert in order to maintain the media attention/credit. Yet in doing so not only have they shown the total 
ineffectiveness of the OIS, they have also put the majority of the Internet at unnecessary risk. They say they know of 
no active attacks, so what was the reason to rush this to the public? If someone else was going to leak it, it would 
have been better to allow them to do so, and afterwards, follow up with the public with their more detailed advisory. 
In the time between now and whenever this unknown person would have leaked the information, or a new attack released 
based on it, ISS may have been able to get more vendors to provide patches for their implementations.

I coined the phrase "Responsible Disclosure"[1], and it was not intended to be represented by actions like this taken 
by ISS in its name. OIS should publicly denounce ISS' action if it expects to maintain any credibility, and ISS should 
explain its reasoning as to why it has put the Internet at greater risk due to its irresponsible disclosure.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Ref:
[1]Proposal - The Responsible Disclosure Forum
http://www.ntbugtraq.com/rdforum.asp
[2]About the Organization for Internet Safety
http://www.oisafety.org/about.html
[3]Internet Software Consortium BIND Vulnerabilities
http://www.isc.org/products/BIND/bind-security.html
[4]Internet Security Systems Security Advisory November 12, 2002
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469