Firewall Wizards mailing list archives
recent disclosure debates
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Sun, 15 Dec 2002 19:49:02 -0500 (EST)
Folks, There's been a flurry of debate re-arising from the ISS/ISC bind vulnerabilities disclosure fiasco. considering the events that played out on bugtraq and related lists, and recounted in: http://www.eweek.com/article2/0,3959,758258,00.asp <quote> When Internet Security Systems Inc.'s X-Force research team last month released an advisory warning of three newly discovered vulnerabilities in BIND (Berkeley Internet Name Domain), the advisory said that patches for the problems were ready and provided an e-mail address at the Internet Software Consortium from which users could request the patches. However, the patches at the time of the advisory were available only to organizations that had paid the ISC a fee to receive early warning of problems with BIND. The ISC, which maintains BIND, established a limited-distribution, early- notification mailing list last year when word of another batch of vulnerabilities leaked before patches were available. Michael Brennen, president of FishNet Inc., a Plano, Texas, domain registrar, wrote to the ISC requesting the patches and asked why they had not been made available at the time of the advisory. The ISC told him it wanted to make sure that the right audience had the patches first. "As of the moment of the announcement, 'the right audience' should be expanded to include all those placed at risk because they use the software," Brennen wrote. "Failure to make the patches available suddenly puts many systems at rapidly increasing risk." </quote> I'm wondering why all the fingers are pointing so dramatically at ISS and why ISC has received little or no heat in the issue. It appears in other postings through bugtraq that ISS and ISC worked together for at leat a month on the issues ISS released their advisory on and for which patches seem to be dated back to as ISC fixes to code. From all the reading I've followed there was a coordinated effort that failed when it came time to make the patches available to the public, after members of BIND Forum were notified and given advance patches. so, I'm wondering why ISS gotso much bad press on this issue and ISC remained unscathed for the most part. Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
- Re: recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
- Re: recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Adam Shostack (Dec 16)
- Re: recent disclosure debates Paul Robertson (Dec 16)
- Re: recent disclosure debates Adam Shostack (Dec 16)
- Re: recent disclosure debates Paul D. Robertson (Dec 16)
- Re: recent disclosure debates R. DuFresne (Dec 15)
- Re: recent disclosure debates Barney Wolff (Dec 15)
- Re: recent disclosure debates Paul D. Robertson (Dec 15)
- <Possible follow-ups>
- Re: recent disclosure debates ISC Tattler (Dec 17)