Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Napster, Inc. response to Colten Edwards

From: drc () SOPHMAN COM (Danny Crawford)
Date: Thu, 30 Mar 2000 18:29:33 -0600

That's fnnny because I know of three ( one was me ) people that notified
Napster of this problem on IRC and via LAN line.

----- Original Message -----
From: "Elias Levy" <aleph1 () SECURITYFOCUS COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Thursday, March 30, 2000 1:51 PM
Subject: Napster, Inc. response to Colten Edwards


----- Forwarded message from Jordan Ritter <jpr5 () napster com> -----

Date: Wed, 29 Mar 2000 13:50:05 -0800
From: Jordan Ritter <jpr5 () napster com>
To: aleph1 () securityfocus com
Subject: Napster, Inc. response to Colten Edwards
Message-ID: <20000329135005.A17554 () napster com>

Aleph --

      I'm waiting for listserv to come through on my napster.com
      subscription to bugtraq, but it's lagging.  Please push this
      through.  Thanks.

--jordan

-----

BugTraq readership:

    This email is in response to the recent post by Colten Edwards
    regarding a potential buffer overflow in the Napster client
    software.

    The Napster Win32 client software does contain an overflow in its
    messaging functionality, which includes public (chat) and private
    (IM) messaging.  The overflow only affects users of the Win32
    Napster client, and could only be exploited through the use of a
    rogue Napster client in conjunction with a Napster server.

    Napster, Inc. reports NO indication that this vulnerability is
    being exploited, and further would like to assure the general
    public that the vulnerability is NOT an issue any longer.

    Approximately one hour after receiving the post from BugTraq,
    Napster's servers were patched to prevent this from occurring.
    Users of the Napster Win32 client software are NOT vulnerable.

    We would like to point out the unfortunate fact that we first
    learned of this issue through BugTraq.  The discovery of the
    problem was apparently relayed briefly to the #napster channel on
    EFnet IRC by Colten Edwards, before being posted to this list
    approximately one hour later.  Napster, Inc. was never notified of
    this issue via phone, email, or across any other effective channel
    of communication.

    This situation is particularly disturbing to us, as Mr. Edwards'
    malicious intent becomes painfully obvious from the tone and
    candor of his post.  To the best of our knowledge, the general
    policy on BugTraq is that vendors should be notified of issues and
    given a reasonable amount of time to address the problem, so as to
    avoid unnecessary risk to the vendor's customers.  A meaningful
    notification from Mr. Edwards and a small amount of patience would
    have resulted in a fix before the potential vulnerability put our
    users at risk.  Of course, understanding the time frame involved
    and the intent of the post, we can only voice our dismay and
    disapproval of Mr. Edwards' actions.

    Thank you, and good day.


Jordan Ritter
Security Director
Napster, Inc.

Napster -- Music at Internet Speed

----- End forwarded message -----

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: