Forwarded from: security curmudgeon <jericho@private> http://www.attrition.org/security/rant/cisco01.html Cisco: There is no fixed software for this issue. Fri Feb 4 01:55:02 EST 2005 Jericho I think it is time to give up on Cisco. Most professionals in the security industry have long since given up on vendors such as Microsoft and resigned ourselves to the fact that they don't understand security, and that for all the marketing and PR these companies never will. Year after year, we see stupid and trivial security bugs pop up in their software. Often times these are the same vulnerabilities reborn with a new product, or the same class of vulnerabilities creeping back into the code due to poor programming practices. In other cases, vulnerabilities are found and supposedly patched by vendors. Days or weeks later, it is discovered that the patch does not fully mitigate the original problem and can be bypassed and the software is still vulnerable. Yesterday, Cisco Systems, Inc. posted a new security advisory announcing a vulnerability in one of their product lines. This is not new for Cisco by any means as they have releaesed 155 security advisories dating back to June 1, 1995. Why is this one different? The proverbial straw that broke the camel's back perhaps. The issue is not that just another vulnerability affects their products, nor it is the amount of issues Cisco has posted over the years. While depressing to anyone responsible for the security of one of their devices, it is mostly manageable. Cisco has been fairly good about addressing problems in the past, providing patches and solid workarounds and eventually selling new versions of their software that aren't affected. Until now. There are two issues with the latest advisory covering a vulnerability in Cisco IP/VC Products. Either issue unto themselves should have Cisco customers up in arms demanding better products and better service. As long as companies continue to buy and support irresponsible and unethical vendors, they will continue to deliver over-priced insecure software. [..] _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Mon Feb 07 2005 - 06:16:26 PST