Re: SUN almost has a clue! (automountd)

From: David LeBlanc (dleblancat_private)
Date: Wed Jan 06 1999 - 05:47:58 PST

Next message: Wichert Akkerman: "Re: [SECURITY] New versions of netstd fixes buffer overflows"

Previous message: mnemonix: "HTTP REQUEST_METHOD flaw"
Maybe in reply to: Corruptio Optimi Pessima: "SUN almost has a clue! (automountd)"
Next in thread: Huger, Alfred: "Re: SUN almost has a clue! (automountd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 01:41 PM 1/5/99 +0100, Andreas Bogk wrote:
>On Mon, Jan 04, 1999 at 05:38:46PM -0800, Friedrichs, Oliver wrote:
>> It was never publicly noted, since the problem hasn't been fixed
>> yet (and as a security company, we aren't in the habit of
>> disclosing bugs which aren't fixed), however many people knew

>And all the script kiddies out there are probably very grateful for
>that. Experience shows that vendors don't move unless the bug is
>disclosed.

This is not always the case, and I'm sure Oliver can confirm this.  I can
also give an example.  ISS and SNI both reported denial of service attacks
regarding malformed NetBIOS packets to Microsoft independently.  It turned
out that the problems we reported were in the same area.  Microsoft fixed
it promptly without the issue ever going public - it was the post-SP3 srv-fix.

This is consistent with my personal experiences with MS.  I have never once
had to take something public or threaten to do so to get something fixed,
and they have eventually fixed (or are currently trying to fix) nearly
everything I've reported.  I understand that other people have had
different experiences with the same company, so YMMV, and please do not
send me flames about your experiences (OTOH, if you have something you're
trying to get fixed, maybe I could help).

OTOH, another company told me I was a complete idiot when I reported an
issue, and didn't fix it until I posted the problem to the lists.  There
have been 2-3 subsequent reports of problems in their software, and I think
they are starting to get a clue.

I guess the bottom line here is that companies are all different (like
people), and the results you get might even have something to do with how
you treat them and your relationship with them.  I guess I just object
strongly to the blanket statement that "vendors don't move unless the bug
is disclosed".  That may be true of some vendors in some cases, but it is
_not_ true of all vendors in all cases.  I'd urge people to at least give
the vendor a chance to do the right thing - we're all better off with
well-tested fixes instead of rush jobs.

David LeBlanc
dleblancat_private

Next message: Wichert Akkerman: "Re: [SECURITY] New versions of netstd fixes buffer overflows"
Previous message: mnemonix: "HTTP REQUEST_METHOD flaw"
Maybe in reply to: Corruptio Optimi Pessima: "SUN almost has a clue! (automountd)"
Next in thread: Huger, Alfred: "Re: SUN almost has a clue! (automountd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:27:33 PDT