Re: SUN almost has a clue! (automountd)

[Alfred_Huger () NAI COM (Huger, Alfred)]

> -----Original Message-----
> From: Andreas Bogk [SMTP:ich () ANDREAS ORG]
> Sent: Tuesday, January 05, 1999 4:41 AM
> To:   BUGTRAQ () netspace org
> Subject:      Re: SUN almost has a clue! (automountd)
>
> On Mon, Jan 04, 1999 at 05:38:46PM -0800, Friedrichs, Oliver wrote:
> > It was never publicly noted, since the problem hasn't been fixed
> > yet (and as a security company, we aren't in the habit of
> > disclosing bugs which aren't fixed), however many people knew
        [Huger, Alfred]
 Experience shows that vendors don't move unless the bug is disclosed

        The NAI Labs team which discovered the bug (apparently independently
of the previous poster) is the former SNI Team, insinuating that we are not
full disclosure would be entirely incorrect. Take a few minutes and check
the Bugtraq list archives for the last 2 years, you will see significant
participation from our team, from the infancy of this list up to now. This
bug simply did not strike us as an 'immediate post' issue. Had we felt it
was (and we will still do not think this is the case) we would have released
an advisory and hopefully received vendor support. If you looked at the 30
advisories we have released to this list you would note instances where we
posted with vendor support and instances where we did not. This issue simply
was not important enough to expedite and post without vendor support.

        And all the script kiddies out there are probably very grateful for
        that

        Garbage, this insinuates we are somehow culpable for break-ins
because of the 'status-bounce' issue. Perhaps you should re-read the post
containing the description of the problem. The only 'get-root' here is the
automount problem for which there has been a patch available for some time.
If a machine has fallen prey to an attack via automount, the delivery
mechanism is not the issue here. Not only is this flippant remark
misdirected, it's cheap.


> --