[ISN] Firm to Release Database & Web Server 0days

From: InfoSec News <alerts_at_private>
Date: Tue, 12 Jan 2010 11:05:04 -0600 (CST)
http://www.krebsonsecurity.com/2010/01/firm-to-release-database-web-server-0days/

By Brian Krebs
krebsonsecurity.com
January 11th, 2010

January promises to be a busy month for Web server and database 
administrators alike: A security research firm in Russia says it plans 
to release information about a slew of previously undocumented 
vulnerabilities in several widely-used commercial software products.

Evgeny Legerov, founder of Moscow based Intevydis, said he intends to 
publish the information between Jan 11 and Feb 1. The final list of 
vulnerabilities to be released is still in flux, Legerov said, but it is 
likely to include vulnerabilities (and in some cases working exploits) 
in:

- Web servers such as Zeus Web Server, Sun Web Server 
  (pre-authentication buffer overflows);

- Databases, including Mysql (buffer overflows), IBM DB2 (local root 
  vulnerability), Lotus Domino and Informix

- Directory servers, such as Novell eDirectory, Sun Directory and Tivoli 
  Directory.

In an interview with krebsonsecurity.com, Legerov said his position on 
vulnerability disclosure has evolved over the years.

"After working with the vendors long enough, we've come to conclusion 
that, to put it simply, it is a waste of time" Now, we do not contact 
with vendors and do not support so-called 'responsible disclosure' 
policy," Legerov said. For example, he said, "there will be published 
two years old Realplayer vulnerability soon, which we handled in a 
responsible way [and] contacted with a vendor."

[...]


________________________________________ 
Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 
http://www.infosecnews.org
Received on Tue Jan 12 2010 - 09:05:04 PST

This archive was generated by hypermail 2.2.0 : Tue Jan 12 2010 - 09:18:13 PST