[fw-wiz] recent disclosure debates
From: R. DuFresne (dufresne@sysinfo.com)
Date: 12/15/02
- Next message: Barney Wolff: "Re: [fw-wiz] recent disclosure debates"
- Previous message: Brian Ford: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Next in thread: Barney Wolff: "Re: [fw-wiz] recent disclosure debates"
- Reply: Barney Wolff: "Re: [fw-wiz] recent disclosure debates"
- Maybe reply: ISC Tattler: "Re: [fw-wiz] recent disclosure debates"
- Maybe reply: Marcus J. Ranum: "Re: [fw-wiz] recent disclosure debates"
- Maybe reply: Reckhard, Tobias: "RE: [fw-wiz] recent disclosure debates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "R. DuFresne" <dufresne@sysinfo.com> To: "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com> Date: Sun Dec 15 19:43:01 2002
Folks,
There's been a flurry of debate re-arising from the ISS/ISC bind
vulnerabilities disclosure fiasco. considering the events that played out
on bugtraq and related lists, and recounted in:
http://www.eweek.com/article2/0,3959,758258,00.asp
<quote>
When Internet Security Systems Inc.'s X-Force research team last month
released an advisory warning of three newly discovered vulnerabilities
in BIND (Berkeley Internet Name Domain), the advisory said that
patches for the problems were ready and provided an e-mail address at
the Internet Software Consortium from which users could request the
patches. However, the patches at the time of the advisory were
available only to organizations that had paid the ISC a fee to receive
early warning of problems with BIND. The ISC, which maintains BIND,
established a limited-distribution, early- notification mailing list
last year when word of another batch of vulnerabilities leaked before
patches were available.
Michael Brennen, president of FishNet Inc., a Plano, Texas, domain
registrar, wrote to the ISC requesting the patches and asked why they
had not been made available at the time of the advisory. The ISC told
him it wanted to make sure that the right audience had the patches
first. "As of the moment of the announcement, 'the right audience'
should be expanded to include all those placed at risk because they
use the software," Brennen wrote. "Failure to make the patches
available suddenly puts many systems at rapidly increasing risk."
</quote>
I'm wondering why all the fingers are pointing so dramatically at ISS and
why ISC has received little or no heat in the issue. It appears in other
postings through bugtraq that ISS and ISC worked together for at leat a
month on the issues ISS released their advisory on and for which patches
seem to be dated back to as ISC fixes to code. From all the reading I've
followed there was a coordinated effort that failed when it came time to
make the patches available to the public, after members of BIND Forum were
notified and given advance patches. so, I'm wondering why ISS gotso much
bad press on this issue and ISC remained unscathed for the most part.
Thanks,
Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
- Next message: Barney Wolff: "Re: [fw-wiz] recent disclosure debates"
- Previous message: Brian Ford: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Next in thread: Barney Wolff: "Re: [fw-wiz] recent disclosure debates"
- Reply: Barney Wolff: "Re: [fw-wiz] recent disclosure debates"
- Maybe reply: ISC Tattler: "Re: [fw-wiz] recent disclosure debates"
- Maybe reply: Marcus J. Ranum: "Re: [fw-wiz] recent disclosure debates"
- Maybe reply: Reckhard, Tobias: "RE: [fw-wiz] recent disclosure debates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
