Full Disclosure mailing list archives
iDefense: Solution or Problem?
From: <idefense () hushmail com>
Date: Tue, 13 Jul 2004 13:53:01 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael, you claim that this is a typo, but is it really? Even if this is a typo, how do you explain waiting over a month to contact the vendor? How do you explain past times when iDefense waited over a year to notify a vendor? How does this relate to the iDefense disclosure policy? http://www.idefense.com/legal_disclosure.jsp iDEFENSE will responsibly inform vendors as soon as possible after having learned of a problem with their product(s) or service(s). Note: ".. will responsibly inform vendors as soon as possible after having learned of a problem". There is absolutely no debating that this is pure marketing fluff and not how iDefense operates. Look at their history of vulnerability disclosure and their timelines for proof. The real question becomes, just how unethical and how greedy iDefense really is! Further, are they now rewriting history to desperately protect their already dark image? Witness: http://seclists.org/lists/fulldisclosure/2004/Jul/0574.html Adobe Reader 6.0 Filename Handler Buffer Overflow Vulnerability VII. DISCLOSURE TIMELINE 02/02/2003 Exploit discovered by iDEFENSE 03/11/2004 Initial vendor notification Did iDefense sit on this vulnerability for 17 months? Shortly before or after Cary Barker pointed this out on Full-Disclosure (http://seclists.org/lists/fulldisclosure/2004/Jul/0585.html), iDefense seems to have had a change of heart! http://www.idefense.com/application/poi/display?id=116&type=vulnerabilities 02/02/2004 Exploit discovered by iDEFENSE 03/11/2004 Initial vendor notification The first and understandable reaction (excuse) would be "iDefense had a typo", but once again, digging into their past vulnerabilities, is that really the case?! Even if THIS advisory had a typo, how about some others this year?! http://www.idefense.com/application/poi/display?id=114&type=vulnerabilities 04/03/2003 Vulnerability acquired by iDEFENSE 07/08/2004 Public disclosure http://www.idefense.com/application/poi/display?id=108&type=vulnerabilities 04/05/03 Vulnerability acquired by iDEFENSE 05/17/04 Public disclosure http://www.idefense.com/application/poi/display?id=104&type=vulnerabilities April 2, 2003 Exploit acquired by iDEFENSE May 12, 2004 Coordinated public disclosure Sitting on vulnerabilities for a year before notifying the vendors is not what 'white hat' hackers do. These aren't the actions of a reputable security company. Combine this with the fact you sell this information to people in foreign companies and governments, including some that are "harboring terrorists" (according to our government) makes your actions potentially criminal. What, you haven't checked your client list carefully? Selling vulnerability information to terrorist nations isn't very friendly to the US! Looking back at your 2004 advisories (and some in 2003), could anyone at iDefense explain how their responsible disclosure policy applies? Here is a general idea of their disclosure process and time frames: Advisory Discovery Publish Vend Notify Publish Time 07.12.04 03-02-02 04-07-12 13 mo 7 d 17 mo 10 d 07.09.04 04-06-29 04-07-09 7 d 10 d 07.08.04 03-04-03 04-07-08 14 mo 26 d 15 mo 5 d 07.01.04 03-09-27 04-07-01 8 mo 7 d 9 mo 4 d 06.23.04 04-04-21 04-06-23 14 d 2 mo 2 d 06.21.04 04-02-26 04-06-21 3 mo 13 d 3 mo 25 d 06.10.04 04-04-14 04-06-10 28 d 1 mo 26 d 06.08.04 04-04-27 04-06-07 22 d 1 mo 10 d 06.07.04 03-04-05 04-05-17 13 mo 2 d 13 mo 12 d 05.27.04 04-02-18 04-05-27 20 d 3 mo 9 d 05.26.04 04-02-18 04-05-26 20 d 3 mo 8 d 05.12.04 03-04-02 04-05-12 12 mo 5 d 13 mo 10 d 04.15.04 03-12-08 04-04-15 1 mo 16 d 5 mo 7 d 04.14.04 04-01-09 04-04-14 1 mo 11 d 3 mo 5 d 04.13.04 04-01-12 04-04-13 5 d 2 mo 24 d 04.05.04 04-01-09 04-04-05 1 mo 16 d 2 mo 26 d 03.19.04 04-01-13 04-03-19 24 d 2 mo 5 d 03.09.04 03-10-10 04-03-11 1 mo 2 d 5 mo 1 d 03.02.04 04-01-22 04-03-02 25 d 1 mo 10 d 02.27.04 04-01-13 04-02-27 26 d 1 mo 14 d 02.27.04 04-02-04 04-02-27 6 d 23 d 02.23.04 03-12-08 04-02-23 1 mo 21 d 2 mo 15 d 02.17.04 03-10-31 04-02-17 4 mo 2 d 4 mo 19 d 02.12.04 04-02-09 04-02-12 0 d 3 d 02.10.04 04-01-09 04-02-10 24 d 1 mo 1 d 02.04.04 03-12-08 04-02-02 1 mo 21 d 1 mo 24 d 09.25.03 03-02-25 ? 8 mo 0 d ? 07.29.03 03-04-20 03-07-29 2 mo 11 d 3 mo 9 d 07.01.03 03-03-11 03-07-01 3 mo 0 d 3 mo 19 d 05.22.03 02-12-31 03-05-22 4 mo 17 d 5 mo 22 d 02.12.03 02-10-31 03-02-12 2 mo 29 d 3 mo 13 d 02.03.03 02-01-11 03-02-10 12 mo 9 d 12 mo 29 d "iDEFENSE will responsibly inform vendors as soon as possible after having learned of a problem with their product(s) or service(s)." Five different times, iDefense sat on a vulnerability for OVER A YEAR. They routinely wait one or more months to notify the vendor. Is that "as soon as possible"? Of course not, that would hurt the bottom line. Sincerely, Dark Elf References 07.12.04 - Adobe Reader 6.0 Filename Handler Buffer Overflow Vulnerability http://www.idefense.com/application/poi/display?id=116&type=vulnerabilities 02/02/2004 Exploit discovered by iDEFENSE 03/11/2004 Initial vendor notification 03/11/2004 Initial vendor response 03/11/2004 iDEFENSE clients notified 06/07/2004 Vendor update released 07/12/2004 Public Disclosure * original full-disc post listed 02/02/2003 discovery date 07.09.04 - wvWare Library Buffer Overflow Vulnerability http://www.idefense.com/application/poi/display?id=115&type=vulnerabilities 06/29/2004 Initial vendor contact 07/06/2004 Vendor response 07/09/2004 Public disclosure 07.08.04 - SSLTelnet Remote Format String Vulnerability http://www.idefense.com/application/poi/display?id=114&type=vulnerabilities 04/03/2003 Vulnerability acquired by iDEFENSE 06/29/2004 Initial vendor contact 07/02/2004 Secondary vendor contact 07/08/2004 Public disclosure 07.01.04 - WinGate Information Disclosure Vulnerability http://www.idefense.com/application/poi/display?id=113&type=vulnerabilities 09/27/03 Exploit acquired by iDEFENSE 06/04/04 Initial vendor notification 06/10/04 Secondary vendor notification 06/21/04 iDEFENSE clients notified 06/23/04 Initial vendor response 07/01/04 Public Disclosure 06.23.04 - Lotus Notes URI Handler Argument Injection Vulnerability http://www.idefense.com/application/poi/display?id=111&type=vulnerabilities 04/21/2004 Exploit acquired by iDEFENSE 05/05/2004 iDEFENSE clients notified 05/05/2004 Initial vendor notification 05/07/2004 Initial vendor response 06/23/2004 Public disclosure 06.21.04 - GNU Radius SNMP Invalid OID Denial of Service Vulnerability http://www.idefense.com/application/poi/display?id=110&type=vulnerabilities 02/26/04 Issue acquired by iDEFENSE 06/09/04 Initial vendor contact 06/09/04 iDEFENSE clients notified 06/21/04 Public disclosure 06.10.04 - Real Networks RealPlayer URL Parsing Buffer Overflow Vulnerability http://www.idefense.com/application/poi/display?id=109&type=vulnerabilities 04/14/2004 Exploit discovered by iDEFENSE 05/12/2004 Initial vendor notification 05/12/2004 iDEFENSE clients notified 05/13/2004 Vendor response 06/10/2004 Coordinated public disclosure 06.08.04 - Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow Vulnerability http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities 04/27/04 Exploit acquired by iDEFENSE 05/19/04 iDEFENSE Clients notified 05/20/04 Initial vendor notification 05/20/04 Initial vendor response 06/07/04 Public Disclosure 06.07.04 - PHP Win32 escapeshellcmd() and escapeshellarg() Input Validation Vulnerability http://www.idefense.com/application/poi/display?id=108&type=vulnerabilities 04/05/03 Vulnerability acquired by iDEFENSE 05/07/04 iDEFENSE clients notified 05/07/04 Initial vendor notification 05/17/04 Initial vendor response 05/17/04 Public disclosure 05.27.04 - 3Com OfficeConnect Remote 812 ADSL Router Authentication Bypass Vulnerability http://www.idefense.com/application/poi/display?id=106&type=vulnerabilities 02/18/04 Exploit acquired by iDEFENSE 03/08/04 iDEFENSE Clients notified 03/11/04 Initial vendor notification - no response 03/30/04 Secondary vendor notification - no response 05/27/04 Public Disclosure 05.26.04 - 3Com OfficeConnect Remote 812 ADSL Router Telnet Protocol DoS Vulnerability http://www.idefense.com/application/poi/display?id=105&type=vulnerabilities 02/18/04 Exploit acquired by iDEFENSE 03/08/04 iDEFENSE Clients notified 03/11/04 Initial vendor notification - no response 03/30/04 Secondary vendor notification - no response 05/26/04 Public Disclosure 05.12.04 - Opera Telnet URI Handler File Creation/Truncation Vulnerability http://www.idefense.com/application/poi/display?id=104&type=vulnerabilities April 2, 2003 Exploit acquired by iDEFENSE April 7, 2004 Initial vendor notification April 7, 2004 iDEFENSE clients notified April 14, 2004 Initial vendor response May 12, 2004 Coordinated public disclosure 09.25.03 - Sambar Server Multiple Vulnerabilities http://www.idefense.com/application/poi/display?id=103&type=vulnerabilities February 25, 2003 Exploit acquired by iDEFENSE September 25, 2003 Initial vendor notification September 25, 2003 Vendor response 04.15.04 - RealNetworks Helix Universal Server Denial of Service Vulnerability http://www.idefense.com/application/poi/display?id=102&type=vulnerabilities December 8, 2003 Exploit acquired by iDEFENSE January 24, 2004 iDEFENSE clients notified January 26, 2004 Initial vendor notification April 15, 2004 Public disclosure 04.14.04 - Buffer Overflow in ISO9660 File System Component of Linux Kernel http://www.idefense.com/application/poi/display?id=101&type=vulnerabilities January 9, 2004 Exploit acquired by iDEFENSE February 20, 2004 Initial vendor notification February 20, 2004 iDEFENSE clients notified April 14, 2004 Coordinated public disclosure 04.13.04 - Microsoft Help and Support Center Argument Injection Vulnerability http://www.idefense.com/application/poi/display?id=100&type=vulnerabilities [prior] Exploit disclosed to vendor by contributor January 12, 2004 Exploit acquired by iDEFENSE January 12, 2004 iDEFENSE clients notified January 19, 2004 iDEFENSE Initial contact with vendor January 23, 2004 Initial vendor reply April 13, 2004 Coordinated public disclosure 04.05.04 - Perl win32_stat Function Buffer Overflow Vulnerability http://www.idefense.com/application/poi/display?id=93&type=vulnerabilities January 09, 2004 Vulnerability discovered by iDEFENSE February 25, 2004 Initial vendor contact February 26, 2004 iDEFENSE clients notified February 26, 2004 Vendor response April 05, 2004 Public disclosure 03.19.04 - Borland Interbase admin.ib Administrative Access Vulnerability http://www.idefense.com/application/poi/display?id=80&type=vulnerabilities January 13, 2004 Vulnerability acquired by iDEFENSE February 9, 2004 Initial vendor notification sent - no response February 12, 2004 iDEFENSE clients notified March 1, 2004 Secondary vendor notification sent - no response March 19, 2004 Public disclosure 03.09.04 - Microsoft Outlook "mailto:" Parameter Passing Vulnerability http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities October 10, 2003 Vulnerability acquired by iDEFENSE November 12, 2003 Initial vendor notification November 12, 2003 Initial vendor response November 21, 2003 iDEFENSE clients notified March 09, 2004 Coordinated public disclosure March 11, 2004 Updated advisory 03.02.04 - FreeBSD Memory Buffer Exhaustion Denial of Service Vulnerability http://www.idefense.com/application/poi/display?id=78&type=vulnerabilities January 22, 2004 Exploit acquired by iDEFENSE February 17, 2004 iDEFENSE clients notified February 18, 2004 Initial vendor notification February 18, 2004 Initial vendor response March 02, 2004 Coordinated public disclosure 02.27.04 - WinZip MIME Parsing Buffer Overflow Vulnerability http://www.idefense.com/application/poi/display?id=76&type=vulnerabilities January 13, 2004 Vulnerability acquired by iDEFENSE February 9, 2004 Initial vendor notification February 9, 2004 Initial vendor response February 10, 2004 iDEFENSE clients notified February 27, 2004 Coordinated public disclosure 02.27.04 - Microsoft Internet Explorer Cross Frame Scripting Restriction Bypass http://www.idefense.com/application/poi/display?id=77&type=vulnerabilities February 4, 2004 Vulnerability acquired by iDEFENSE February 10 2004 Initial vendor notification February 10 2004 Initial vendor response February 11, 2004 iDEFENSE clients notified February 27, 2004 Public disclosure 02.23.04 - Darwin Streaming Server Remote Denial of Service Vulnerability http://www.idefense.com/application/poi/display?id=75&type=vulnerabilities December 8, 2003 Exploit acquired by iDEFENSE January 29, 2004 iDEFENSE clients notified January 29, 2004 Initial vendor notification January 29, 2004 Vendor response received February 23, 2004 Coordinated public disclosure 02.17.04 - Ipswitch IMail LDAP Daemon Remote Buffer Overflow http://www.idefense.com/application/poi/display?id=74&type=vulnerabilities October 31, 2003 Exploit acquired by iDEFENSE February 2, 2004 Initial vendor notification February 3, 2004 iDEFENSE clients notified February 3, 2004 Vendor response received February 17, 2004 Coordinated public disclosure 02.12.04 - XFree86 Font Information File Buffer Overflow II http://www.idefense.com/application/poi/display?id=73&type=vulnerabilities February 9, 2004 Exploit acquired by iDEFENSE February 9, 2004 Initial vendor notification February 9, 2004 Response received from David Dawes at XFree86.org February 10, 2004 iDEFENSE Clients notified February 12, 2004 Public disclosure 02.10.04 - XFree86 Font Information File Buffer Overflow http://www.idefense.com/application/poi/display?id=72&type=vulnerabilities January 9, 2004 Exploit acquired by iDEFENSE February 3, 2004 Vendor notified February 3, 2004 Response received from David Dawes at XFree86.org February 4, 2004 iDEFENSE clients notified February 10, 2004 Public disclosure 02.04.04 - GNU Radius Remote Denial of Service Vulnerability http://www.idefense.com/application/poi/display?id=71&type=vulnerabilities December 8, 2003 Vulnerability acquired by iDEFENSE January 29, 2004 Initial vendor notification sent January 29, 2004 iDEFENSE clients notified February 2, 2004 Response received from Sergey Poznyakoff of GNU Radius Project February 2, 2004 Public disclosure on the bug-gnu-radius () gnu org mailing list -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkD0S5UACgkQjfSOsyNsjh8TgwCeMFgZx7bdZ+/yPffsWH7xu3EG6nsA oKBRRQo3Tw5QD7z6ggquKoy+O+sG =o3DG -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- iDefense: Solution or Problem? idefense (Jul 13)
- Re: iDefense: Solution or Problem? VX Dude (Jul 14)
- Re: iDefense: Solution or Problem? J.A. Terranson (Jul 14)
- Re: iDefense: Solution or Problem? VX Dude (Jul 14)
- Re: iDefense: Solution or Problem? System Outage (Jul 14)
- Re: iDefense: Solution or Problem? J.A. Terranson (Jul 14)
- Re: iDefense: Solution or Problem? VX Dude (Jul 14)