Firewall Wizards mailing list archives
Re: recent disclosure debates
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Sun, 15 Dec 2002 21:14:53 -0500 (EST)
This posting was pretty enlightening on the issue: Date: Sat, 16 Nov 2002 06:37:08 -0800 (PST) From: <mark_sala () yahoo com> Subject: bind 8 info update regarding ISS To: bugtraq () securityfocus com Upfront, Like to recognize that ISS has been doing a great job at finding very critical but obscure vulnerabilities in popular services. I'm guessing that there has been alot of other security experts that have audited the source code of Bind, SSH, etc and overlooked the discrepencies that ISS picks up on. Russ Cooper, the Surgeon General of TruSecure, blasted ISS publicly on the Symantec Bugtraq mailing list with an opinion on how ISS is irresponsible for not working with the ISC to properly patch Bind and how they unethically updated their own products. http://online.securityfocus.com/archive/1/299751/2002-11-11/2002-11-17/0 Here's updated information that clears up whether ISS was acting responsible and properly gave notice to the ISC BIND organization. Maybe Russ should give ISS an apology for jumping to conclusions without waiting for facts. http://developers.slashdot.org/comments.pl?sid=44855&threshold=-1&commentsort=0&tid=172&mode=thread&cid=4653012 Re:Did ISS tell bind maintainers? ISS and ISC worked together on this. ISS found the vulns, ISC worked with the vendors, and both of us worked with CERT and coordinated the announcements. Paul Vixie Chairman, ISC Re:Did ISS tell bind maintainers? by Florian Weimer (fw () deneb enyo de) on Tuesday November 12, @06:43PM (#4655265) (User #88405 Info | http://www.enyo.de/fw/) Does anyone know if ISS did the right thing, or are they being big doo-doo-heads? In this case, ISS did not rush ahead. This was a coordinated release. Of course, something went horribly wrong, but I don't think ISS is to blame for it (maybe they could have warned ISC that their approach wouldn't work out, though). http://online.securityfocus.com/archive/1/299873/2002-11-11/2002-11-17/0 Subject: Re: Bind 8 bug experience Date: Nov 14 2002 2:41PM Author: Olaf Kirch <okir () suse de> On Wed, Nov 13, 2002 at 12:04:31PM -0800, Jeremy C. Reed wrote: > But I see the patches were made October 30 (if the dates are reliable). In fact I believe ISC have been sitting on this for almost a month. The CVE IDs were assigned October 16, and I have reason to believe that they learned of this no later than October 23. Members of BIND Forum were notified last week, from what I'm told. In my opinion, the main reason for ISC to use this method of distributing the patches rather than going through established channels (such as CERT) was to be able to convince software vendors and other bodies using/distributing BIND to become a member of BIND forum. I don't know if that worked out, but I have my doubts.
From my experience of the past two days, I believe
they did not expect there to be such a demand for the patches... ** My Own Msg below To Russ ** Regarding Russ Cooper trying to shoot the messenger, where ISS has reported BIND vulnerabilities, I have not seen any evidence of ISS acting irresponsible. It appears they have worked with the vendor to develop patches and a fix. On ISC Bind's website, they thank ISS in many places. ISS's advisory recommended several work-arounds as well. They did not release any exploit code or demonstration code. Their security advisory is very benign compared to many other posts on Bugtraq. I don't understand Russ accusing ISS of violating the code ethics of vulnerability disclosure by updating their own security products against the vulnerabilities. It would seem ridiculous if they DIDN'T update their products when they find vulnerabilities. I would hope any security company who found vulnerabilities would update their products as quickly as possible. IMHO, If ISS finds a vulnerability, they should update their products while the vendor fixes their products. If TruSecure, Russ Cooper's employer, ever found a vulnerability, I would expect them to update their products also. When's the last time TruSecure spent any R&D Money finding vulnerabilities and released an advisory? Atleast ISS is helping find these vulnerabilities, working with the vendors to correct, and if they want to update their products and make money off of it, so be it. We still do live in a capitalistic society. ISS, Bindview, Foundstone, and any other security company that finds holes and updates its products for these new vulnerabilities will make their customers' more protected; I think that is why they are in business and that's why they invest in finding vulnerabilities and fixing them. In the end, I'd rather have a security company find the vulnerabilities and work with the vendor to fix, then to stay in the dark and let the holes stay open for intruders to exploit. --- Mark Sala System Admin On Sun, 15 Dec 2002, Barney Wolff wrote:
On Sun, Dec 15, 2002 at 07:49:02PM -0500, R. DuFresne wrote:I'm wondering why all the fingers are pointing so dramatically at ISS and why ISC has received little or no heat in the issue. It appears in other postings through bugtraq that ISS and ISC worked together for at leat a month on the issues ISS released their advisory on and for which patches seem to be dated back to as ISC fixes to code. From all the reading I've followed there was a coordinated effort that failed when it came time to make the patches available to the public, after members of BIND Forum were notified and given advance patches. so, I'm wondering why ISS gotso much bad press on this issue and ISC remained unscathed for the most part.Because, as I understand the events, ISS and ISC agreed in advance on a date for the patches to be available, but when the date came ISS released the vulnerability without checking that the patches were in fact available. So for lack of a few minutes effort a nasty situation was allowed to develop. I'd welcome correction by anybody from ISS or ISC who actually knows what happened.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
- Re: recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
- Re: recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Adam Shostack (Dec 16)
- Re: recent disclosure debates Paul Robertson (Dec 16)
- Re: recent disclosure debates Adam Shostack (Dec 16)
- Re: recent disclosure debates Paul D. Robertson (Dec 16)
- Re: recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
- Re: recent disclosure debates Paul D. Robertson (Dec 15)
- <Possible follow-ups>
- Re: recent disclosure debates ISC Tattler (Dec 17)
- Re: recent disclosure debates Marcus J. Ranum (Dec 17)
- RE: recent disclosure debates Reckhard, Tobias (Dec 17)