ISS Advisory clarification

From: Klaus, Chris (ISSAtlanta) (CKlausat_private)
Date: Fri Jun 21 2002 - 13:15:53 PDT

Next message: b0iler : "DPGS allows any file to be overwritten"

Previous message: Mandrake Linux Security Team: "MDKSA-2002:039-1 - apache update"
Next in thread: Michael Stone: "Re: ISS Advisory clarification"
Reply: Michael Stone: "Re: ISS Advisory clarification"
Reply: security curmudgeon: "Re: ISS Advisory clarification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quick clarification on several points based on emails that I've received:

1)      We did notify Apache before going public.  ISS X-Force emailed
Apache in the morning at 9:44am regarding this Advisory.  We waited until
the afternoon before sending to Bugtraq for approval and finally reaching
the Bugtraq mailing list archive at approximately Jun 17 2002 3:57PM.
2)      Apache was not aware that a remote exploit vulnerability existed
until ISS X-Force alerted them to the seriousness of this.  They were
working on denial of service issues.
3)      ISS X-Force patch did work against the remote exploit that we found
and it did address the Gobbles exploit.  While our patch did properly work
against the remote exploits, we recommend using the official Apache patch.
Apache's updated patch includes fixes for the remote exploit and denial of
service attacks. 
4)      While the general nature of open-source and its virtual
organizations do have enforcement of strict confidentiality issues, this is
not true for every single open-source project.  This is based on the past
experience.  We have seen where open-source projects spread information
immediately in the wild and we have seen some that are organized to maintain
confidentiality.  ISS X-Force deals with all vendors on a case-by-case basis
to provide maximum protection for our customers and the community.
 
We are currently working with another major vulnerability dealing with an
open-source vendor whereby we both are coordinating and cooperating and
shrinking the 30 day quiet period significantly to quickly provide a patch
to the public.  We are trying to learn from our experience and continue to
improve the advisory release process.  We are hoping this next major
advisory will be received more positively.


***********************************************************************
Christopher W. Klaus
Founder and CTO
Internet Security Systems (ISS)
6303 Barfield Road
Atlanta, GA 30328
Phone: 404-236-4051 Fax: 404-236-2637
web http://www.iss.net
NASDAQ: ISSX
Internet Security Systems ~ The Power To Protect

Next message: b0iler : "DPGS allows any file to be overwritten"
Previous message: Mandrake Linux Security Team: "MDKSA-2002:039-1 - apache update"
Next in thread: Michael Stone: "Re: ISS Advisory clarification"
Reply: Michael Stone: "Re: ISS Advisory clarification"
Reply: security curmudgeon: "Re: ISS Advisory clarification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 13:52:23 PDT