Re: BUGTRAQ] vulnerability in Connection Manager Control binary in

[Chris Calabrese <chris_calabrese () YAHOO COM>]

> Go through your Oracle installation and remove the
> setuid bit on all those little helper applications
> that you don't use. Don't wait for someone to tell
> you that one of them is exploitable.

I couldn't agree more.  Unfortunately, this ends up as
a political issue rather than a technical one in many
cases.  Yes, this is a very bad thing.  It's also all
too common.

> [Rant deleted]

I also agree that vendors need to make a more
concerted effort to actually respond to security
issues rather than just sweeping them under the rug.
The good news is that they are getting better.  And
much of this is thanks to pressure from the security
community.  On the other hand, releasing exploit code
before the vendor even has a chance to produce a patch
and without including a definitive and well-tested
work-around is making the problem worse not better.

In my opinion, the responsible thing to do is to
present the vendor with a time-line of when you'll
disclose if they don't do it first.  Here's a (made
up) example.

  Dear vendor,

  I've discovered a huge security hole in product X.
Details below.  You should be aware that I am an
advocate of full disclosure and intend to disclose the
issue to Bugtraq if you do not respond within N1 days,
do not disclose the issue yourself (giving credit to
me, of course) within N2 days, or do not produce a
patch within N3 days.

  Thank you...

This way, you still get the credit you deserve for
discovering the problem, the vendor knows that you
intend to disclose and can react accordingly, and, if
the vendor reacts reasonably, you don't make the
problem worse by letting the cat out of the bag
prematurely.

Ok, that's enough on this issue.  Let's get back to
the real work of making the world a better place ;-)


__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/