Is this the sort of disclosure we can expect based on the (OIS) Organization for Internet Safety's "code of conduct" and/or "best practices" for vulnerability disclosure? ISS is a founding member of OIS, together with @stake, Bindview, Caldera, Foundstone, Guardent, Microsoft, NAI, Oracle, SGI, and Symantec (Symantec owns SecurityFocus). From [2]OIA FAQ page; "OIS was formed as a unique partnership between leading security researchers and vendors, for the purpose of proposing"..."processes for handling security vulnerabilities." "OIS is committed to public review and comment on all proposed processes.", therefore, I submit this public review and comment on a process used by one of its founding members. "Does OIS support pre-disclosure of vulnerability information to select groups? No. We believe the software author should be given a chance to create a fix before vulnerability information is made public, but that there should be no further distribution of that information until the fix is complete." From [4]ISS X-Force Advisory; "The vulnerabilities described in this advisory affect nearly all currently deployed recursive DNS servers on the Internet." and The following ISS updates and product releases address the issues described in this advisory. These updates are available from the ISS Download Center (http://www.iss.net/download): RealSecure Network Sensor XPU 20.7 and XPU 5.6 Internet Scanner XPU 6.20 RealSecure Guard 3.1 ebs RealSecure Sentry 3.1 ebs RealSecure Server Sensor 6.5 SR 3.3 System Scanner SR 3.08 ISS says that the ISC, which is the reference implementation of the affected BIND versions, has made patches available. However, the ISC website[3] tells visitors that they must email them to "speak to ISC about patches", and indicate that new releases of the affected versions are "coming soon". BIND 8.3.3. is still recommended and available on the ISC site, despite the fact its affected by all three of the vulnerabilities cited by ISS. This hardly constitutes them having "made patches available". There are also hundreds of BIND implementations that are affected beyond the ISC implementation, and none of those vendors have any indications of patches for this issue (or even information about this issue). A quick check of all of the vendors listed on the ISC' "Vendor products based on BIND" page shows that none of them have anything up about the issues, whether it affects their products, etc... this includes Nortel, Lucent, Checkpoint and others. From [2]OIS FAQ page; "Does OIS exchange non-public vulnerability information amongst its membership? No. The OIS Code of Conduct prohibits the distribution of vulnerability information to anyone other than the discoverer and the software author." ISS had no trouble using this information to update all of their products, clearly they distributed the vulnerability information to all of their product teams, possibly 100's of people, in violation of the OIS "code of conduct". From [2]OIS FAQ page; "What does OIS think about the auctioning or selling of non-public vulnerability information? We believe that it is unethical to intentionally make one person more vulnerable than another." Clearly, anyone who is not using all of ISS' products are more vulnerable than anyone else, if you have a vulnerable BIND server in your environment. I'd call that "selling of non-public vulnerability information", wouldn't you? This is class SYN-Flooding tactics. It is also worth pointing out that ISS is the coordinator for the ISP ISAC. Such a role should be played by someone who is beyond reproach when it comes to the ethics of security vulnerabilities. In ISS' case they can probably not worry too much about their members being upset since the vast majority of ISPs are likely running unaffected versions of BIND. However, the vast majority of Corporate America, not to mention companies, educational institutions, and smaller ISPs around the world ARE affected. Our analysis shows that an attack based on these vulnerabilities will be trivial, and that upgrading to BIND 9.x will not be a quickly adopted path. One tries to assume that ISS felt this information was going to leak to the public soon and, therefore, needed to publish the alert in order to maintain the media attention/credit. Yet in doing so not only have they shown the total ineffectiveness of the OIS, they have also put the majority of the Internet at unnecessary risk. They say they know of no active attacks, so what was the reason to rush this to the public? If someone else was going to leak it, it would have been better to allow them to do so, and afterwards, follow up with the public with their more detailed advisory. In the time between now and whenever this unknown person would have leaked the information, or a new attack released based on it, ISS may have been able to get more vendors to provide patches for their implementations. I coined the phrase "Responsible Disclosure"[1], and it was not intended to be represented by actions like this taken by ISS in its name. OIS should publicly denounce ISS' action if it expects to maintain any credibility, and ISS should explain its reasoning as to why it has put the Internet at greater risk due to its irresponsible disclosure. Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor Ref: [1]Proposal - The Responsible Disclosure Forum http://www.ntbugtraq.com/rdforum.asp [2]About the Organization for Internet Safety http://www.oisafety.org/about.html [3]Internet Software Consortium BIND Vulnerabilities http://www.isc.org/products/BIND/bind-security.html [4]Internet Security Systems Security Advisory November 12, 2002 http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469
This archive was generated by hypermail 2b30 : Sat Nov 16 2002 - 02:01:56 PST