Full Disclosure mailing list archives
Fw: Full Disclosure != Exploit Release - No disclosure No Fix
From: "yossarian" <yossarian () planet nl>
Date: Wed, 29 Jan 2003 23:55:03 +0100
OK - challenge taken Few from my archives (all a bit older, haven't organised for a few years, form the time I was editor of a security e-zine) October 2001: Bank Of America Online banking software - homebuilt, but their IT dept. is bigger than most software companies: https://onlineid.bankofamerica.com/cgi-bin/sso.login.controller local caching of user credentials - reported in june, not fixed in October October 1999: InoculateIT Agent for Exchange Server CA was notified in oct 1999 of a way of bypassing attachments scan by modified SMTP header. In Oct 2000 the finder went public, since it was not fixed by then. October 2000: Novell denies that Netware 5 running native IP displaying servers, user accounts etc. over port 524 (NCP) is a security issue. BTW - On 427 (SLP) you can get all NDS tree info without authentication. May 2000: Lotus Notes R5 clients (>R5.0.6)- manipulated digital signature. The client does not notify if S/MIME messages have been tampered with. Still not fixed and no formal advisory by October. Lotus had been informed in various ways, several times. Does this prove anything? Of course I cannot prove that vender were notified * properly*, since there is no common definition. The proposed IETF standard was not adopted. I do remember cases where vendors had no wish to accept vulnerability notification from not-registered users, or lost the notification (and were brave enough to admit it). On some software evaluation projects, I used the info on the vendors handling of security issues as a thing to take into account before buying the software. I can tell you that some salespersons out there were not pleased with me. Or some companies that had already bought certain software.. But the cases above are *documented*. If I dig deeper, I will find them from most major companies. And many, many small ones. In nearly every issue of the e-zine, which ran for 3 years (it was in dutch, and it is not online somewhere) I had cases of issues where manufacturer did nothing or denied the issue. Maybe setting up a list with how well sw-vendors handle holes and fixing might lessen the need to release exploit code. Why do I get the feeling that we are running around in circles on these lists? Discussion just don't get settled, and the more experienced people get tired, and just lurk or leave. Maybe the answer is in the poll securityjobs ran in 2000, which showed that people working in the IT security business on average worked in the IT for less than 4 years, and in security for less than one?
On Wed, 2003-01-29 at 06:13, David Howe wrote:That is of course your choice. Vendors in particular were prone to
deny
a vunerability existed unless exploit code were published to prove it.I've read this mantra over and over again in these discussions, and a question occurs to me. Can anyone provide a *documented* case where a vendor refused to produce a patch **having been properly notified of a vulnerability** until exploit code was released? Definitions: "properly notified" means that the vendor received written notification at a functional address (either email or snail mail) *and* responded (bot or human) so that the sender knows the message was received. "documented" means that there is proof both of proper notification *and* that a patch was not released in a timely manner "timely" means within two weeks of the notification "vendor" means any company that produces publicly available software - open source or commercial Caveats: You cannot use a case where exploit code was released at the same time the vulnerability announcement was made *or* within two weeks of the announcement (see "timely") I'm not saying this doesn't occur. Just that it has the smell of urban legend and justification for actions taken. -- Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Fw: Full Disclosure != Exploit Release - No disclosure No Fix yossarian (Jan 29)
- Re: Fw: Full Disclosure != Exploit Release - No disclosure No Fix Blue Boar (Jan 29)
- Message not available
- Message not available
- Was: Full Disclosure = Exploit Release - No disclosure No Fix yossarian (Jan 30)
- Re: Was: Full Disclosure = Exploit Release - No disclosure No Fix Blue Boar (Jan 30)
- Message not available
- Re: Fw: Full Disclosure != Exploit Release - No disclosure No Fix Blue Boar (Jan 29)