Re: HP getting sued

[Jeffrey Walton <noloader () gmail com>]

On Wed, Dec 7, 2011 at 2:26 AM, Carl-Johan Bostorp
<Carl-Johan.Bostorp () cybercom com> wrote:
> So it looks like HP is getting sued in a class action lawsuit over the
> firmware upgrade “potential security vulnerability”. It’s claimed that HP
> knew about the vulnerability, but failed to disclose it, and this
> constitutes an “unfair” business act.
> https://docs.google.com/gview?url=http://docs.justia.com/cases/federal/district-courts/california/candce/5:2011cv05779/248220/1/0.pdf?1322863230&chrome=true
The 'unfair business practice' is an interesting new angle. The
evolution makes sense to me (a legal layman) since other initiatives
never seem to gain traction. I know its apples to oranges, but I've
never seen a class action for a data loss survive - it would be nice
to see some headway made.

> This is the first case I’ve heard of where this happens. Will be really
> interesting to see what happens. With any luck, vendors will have to at
> least disclose the shit they choose not to fix.
> http://www.digitalbond.com/2011/11/08/advantech-webaccess-first-on-insecure-products-list/
>  … but then again, there are gradients here that can be difficult to rule.
Excessive patch times are a bit bewildering at times. Apple, IBM, and
Microsoft would probably make the list:
https://krebsonsecurity.com/2011/11/apple-took-3-years-to-fix-finfisher-trojan-hole/
(Apple update code, 3 years),
http://www.zerodayinitiative.com/advisories/ZDI-10-022/ (IBM Informix
librpc.dll Multiple Remote Code Execution, 2 years), and
http://linuxbox.org/pipermail/funsec/2010-April/024746.html (Microsoft
GDI vulnerability, 2 years).

> How much would a vendor have to disclose of vulnerabilities known but not
> fixed? Do they get any grace period on fixing these vulnerabilities, or must
> they be made public as soon as they know *anything* ? Or is it just when
> they decided not to fix it? If so, can we then expect vendors to have
> vulnerabilities rated as “undetermined” for years? Maybe a 6 months grace
> period from vendor notification to people starting to sue? What about
> severity of vulnerability?
Another interesting question, but recall that Microsoft never released
details of MS09-048 since a 'properly configured' server with a
'properly operating' firewall was not at risk (supposedly). People
were actually looking for 3rd party patches
http://seclists.org/bugtraq/2009/Sep/116.

Jeff
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave