> -----Original Message----- > From: Dr. Mudge [SMTP:mudgeat_private] > Sent: Thursday, December 03, 1998 9:45 PM > Subject: Breaking into houses to steal the security systems... Was:[SAFER-981204.DOS.1.3] Buffer Overflow in Platinum PCM 7.0 > > In the SAFER bulletin they mention compromising software that was > explicitly installed as an additional security measure. > > While joking around I was mentioning to some colleagues about the > attrocity of some (most) of the security related products out there right > now. Not in what they are claiming to accomplish but in the lack of sound > coding in their own products. I thought it was pretty much understood but > the amazed looks on their faces told me otherwise. So I figured I might > point this out in case that was not an isolated assumption that these > people had. Hopefuly I'm already preaching to the choir on Bugtraq. > > [Note - though I explicitly mention ISS and Axent they are by no means any > worse or better than others not mentioned here... in addition I am > referring to older versions of their products. I have not spent time > looking at their most current releases to verify whether things have > improved or gotten worse. Please take this for what it is meant to be - a > general rant about the security vendor world as it stands... not an attack > against particular vendors] The security issues brought up by Dr. Mudge have been fixed for close to 2 years now. Internet Scanner 4.3 and higher are not affected, but I'd recommend upgrading to the latest version of Internet Scanner 5.4 or soon-to-be released 5.6. We have added a significant number of new security checks since IS 4.3, so there are probably bigger holes left unexposed on your network then just an old Internet Scanner if you are still running that. Internet Scanner 5.4 includes many new checks for routers (e.g., Cisco) and IS 5.6 is in beta on our web with an additional 90 checks for Windows NT. IS 5.6 also contains Smart Scan technology that leverages known vulnerabilities (ie., compromised accounts from certain domains) from one machine and applies to the rest of the scanned network, thus identifying possible extended paths for further compromise of the entire network. I agree with Mudge about trying to write secure products. At the time that the issue that Mudge points out was introduced, ISS was less than 10 people in total. Since then, ISS is now over 300 people and we have put in place internal design reviews, source code reviews, and QA to make our products more secure, reliable, and better quality. We are taking steps to improve our products as best as we can. Sincerely, Chris
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:24:42 PDT