Dailydave mailing list archives
Re: HP getting sued
From: Jeffrey Walton <noloader () gmail com>
Date: Thu, 8 Dec 2011 17:41:45 -0500
On Wed, Dec 7, 2011 at 2:26 AM, Carl-Johan Bostorp <Carl-Johan.Bostorp () cybercom com> wrote:
So it looks like HP is getting sued in a class action lawsuit over the firmware upgrade “potential security vulnerability”. It’s claimed that HP knew about the vulnerability, but failed to disclose it, and this constitutes an “unfair” business act. https://docs.google.com/gview?url=http://docs.justia.com/cases/federal/district-courts/california/candce/5:2011cv05779/248220/1/0.pdf?1322863230&chrome=true
The 'unfair business practice' is an interesting new angle. The evolution makes sense to me (a legal layman) since other initiatives never seem to gain traction. I know its apples to oranges, but I've never seen a class action for a data loss survive - it would be nice to see some headway made.
This is the first case I’ve heard of where this happens. Will be really interesting to see what happens. With any luck, vendors will have to at least disclose the shit they choose not to fix. http://www.digitalbond.com/2011/11/08/advantech-webaccess-first-on-insecure-products-list/ … but then again, there are gradients here that can be difficult to rule.
Excessive patch times are a bit bewildering at times. Apple, IBM, and Microsoft would probably make the list: https://krebsonsecurity.com/2011/11/apple-took-3-years-to-fix-finfisher-trojan-hole/ (Apple update code, 3 years), http://www.zerodayinitiative.com/advisories/ZDI-10-022/ (IBM Informix librpc.dll Multiple Remote Code Execution, 2 years), and http://linuxbox.org/pipermail/funsec/2010-April/024746.html (Microsoft GDI vulnerability, 2 years).
How much would a vendor have to disclose of vulnerabilities known but not fixed? Do they get any grace period on fixing these vulnerabilities, or must they be made public as soon as they know *anything* ? Or is it just when they decided not to fix it? If so, can we then expect vendors to have vulnerabilities rated as “undetermined” for years? Maybe a 6 months grace period from vendor notification to people starting to sue? What about severity of vulnerability?
Another interesting question, but recall that Microsoft never released details of MS09-048 since a 'properly configured' server with a 'properly operating' firewall was not at risk (supposedly). People were actually looking for 3rd party patches http://seclists.org/bugtraq/2009/Sep/116. Jeff _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- HP getting sued Carl-Johan Bostorp (Dec 08)
- Re: HP getting sued Charisse Castagnoli (Dec 08)
- Re: HP getting sued Jeffrey Walton (Dec 08)