Re: Siebel Vulnerabilities

[Javier Fernandez-Sanguino <jfernandez () germinus com>]

security curmudgeon wrote:

> : Trust security vulnerability databases and sources for the common stuff 
> : (i.e. wide-spread applications such as web servers or operating 
> : systems), don't trust them to be accurate when dealing with uncommon 
> : stuff only fortune 100 companies use.
>
> Have you actually looked at the VDBs lately? This comment makes me think 
> you haven't.

I use them in a regular basis. I'm going to push my point with a few 
questions: what vulnerabilities related to WebSeal (Tivoli 
Authentication Manager) do you find in your favorite VDBs? There are 
more relevant vulnerabilities published in _public_ product release 
notes (available online), much more than just those in VDBs 
(CAN-2001-1191 and CVE-2001-0982 if you care to look).

And there's a lot of widespread software that does not provide public 
information of security fixes (not even release notes are available 
online). Just to pick one, how about the Tibco suite? How many 
vulnerabilities you find in your favorite VDB?

These are just a few I've been involved with audits in the past. My 
experience in those audits drives the comments in my previous e-mail.

Regards

Javier


------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------