Fw: Bind 8 bug experience

["HggdH" <hggdh () attbi com>]

Time to shake this list.
----- Original Message ----- 
From: "Michael Brennen" <mbrennen () fni com>
To: <bugtraq () securityfocus com>
Sent: Wednesday, November 13, 2002 00:23
Subject: Bind 8 bug experience



Three bugs in bind 4 and 8 were announced this morning, November 12.
At least one has the possibility of arbitrary code execution, and
the ISC web site lists it as 'Serious'.

At 13:02 CST this afternoon per the ISC announcement, about an hour
after receiving the bug announcement, I requested bind 8 patches
from Lynda McGinley, Executive Director of ISC.  I received a
response from her roughly 8 hours later this evening that I had been
added to the patch announce list.  My thanks to Lynda for that, but
she did not give direct information on where to get the patches, and
I have received nothing from the patch announce list.  I don't know
when I can expect to receive anything -- tonight, next week, or next
month?

Earlier today I asked Lynda a question: why were patches not made
available at the time of the announcement?  Paraphrasing her
response, since I have not asked her permission to forward verbatim
what she wrote, she indicated that those in the bind forum that had
subscribed to the early security notification had the patches
readily available.  She indicated that ISC wanted to make sure that
the right audience had the patches first.

I clarified to her that my understanding is that the early
notification subscription was for the purpose of vendors being
notified before public announcement so they could get software
packages updated and available prior to announcement.  Lynda
affirmed this.

My response to her was that the right audience should change in
relation to announcement.

Those that paid to be notified early had that expectation fulfilled.
Before announcement, per current ISC practice, they are the right
audience, and they got bind 4 and 8 patches.

As of the moment of announcement, the right audience should be
expanded to include all those placed at risk because they use the
software.  Failure to make the patches available suddenly puts many
systems at rapidly increasing risk.

I have not yet heard a satisfactory answer why were patches not
publicly available when this announcement was made.  More troubling,
why has ISC not released the patches yet?  As of 23:44 CST, about 12
hours after the first announcement, nothing beyond 8.3.3 is
available in the normal directories on ftp.isc.org, yet updates
clearly exist.

Per the ISS announcement, to the best of their knowledge no crackers
knew of these bugs, nor were there exploits available.  From the
moment of the announcement, that is no longer true.  If these were
truly unknown bugs, there was time to do this right, to fix the bugs
and get the updates available.  That time advantage is eroding very
rapidly.

I had held off upgrading to bind 9 because of its newness. Observing
its release history, in my assessment it has not been any better
than bind 8.  There have been too many beta, release candidate and
security fixes to be considered stable.  Meanwhile, ISC's policies
left me with no real choice.  I've dropped everything else this
evening and have upgraded to bind 9.

I don't know of a similar incident when the known patches to such a
serious problem were withheld by a software provider.  This is
particularly true in the case of software of which its security and
stability are the most crucial to the operation of the Internet.

This raises troubling questions about the future management of bind.
What will happen when the next bind 9 bug hits?

   -- Michael


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html