[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Vendor casual towards vulnerability found in product

To: <keydet89@xxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: RE: [Full-Disclosure] Vendor casual towards vulnerability found in product
From: <stevenr@xxxxxxxxxx>
Date: Wed, 26 May 2004 20:56:54 +0530

Hi Harlan

Thanks for the reply, it was an interesting read. 

>> Perhaps.  What is the real risk of destroying
>> configuration files, if backups are being made?
They restore from backup, someone erases them again, they restore, someone 
erases again, they restore...

>>  Also, think carefully about this situation.  Are you
>>  angry (you did type "grrrr" at one point) b/c the
>>  vendor isn't responding in the manner that *you* think
>>  they should?
I would like to say that yes, I am none too happy with the way the vendor has 
reacted to this. And I shall explain why. I am responsible for few of the 
production sites exposed and vulnerable to this flaw since they run this 
product. And there is nothing I can do to fix them since the flaw is core to 
the product. If this is known to anyone outside of the vendors team, my servers 
are roadkill. And this thought doesnt really give me a warm feeling inside.

Having said this I am not gonna go stark raving mad or do anything 
irresponsible. I have already notified the admins of the public sites I came 
across (I just googled and found these, there may be many more) and have mailed 
them other possible loopholes which I have already closed on my boxes, but not 
the current one, since I dont know how to close it myself. Some of the admins 
didnt have the tech knowhow so I sent them the fixes. As Gadi, Chris and 
morning_wood have mentioned, I have given prior information to the vendor and 
have even asked permission for this to be published, which was granted (to my 
surprise) I had even gone to the extent of asking for a security expert on the 
vendors side to be involved in the mails, since I realised that the chap I 
talked to (an expert in that component) didnt know too much about security 
("Whats this Bugtraq and Full Disclosure that you keep mentioning ??" was his 
reply). well no one from security was made available. I gave up after th!
 at.

>>  Uhm..."mailto:full-disclosure@xxxxxxxxxxxxxxxx";??? 
>>  (did I miss something obvious in your question?)
I just wanted to know if there is a procedure to this, Got the answer from the 
other folks. thanks guys...

>>  You don't want to come across as someone who's upset
>>  b/c you found your first vulnerability and you don't
>>  think the vendor is taking it as seriously as you
>>  think they should.
Lets put it this way...I am upset *because* I found a vulnerability :):)


Thanks all for your comments, I think I know what to do now.

Regards
Steven Rebello



-----Original Message-----
From: Harlan Carvey [mailto:keydet89@xxxxxxxxx]
Sent: Wednesday, May 26, 2004 7:33 PM
To: full-disclosure@xxxxxxxxxxxxxxxx
Cc: Steven Rebello
Subject: Re: [Full-Disclosure] Vendor casual towards vulnerability found
in product


Steven,

One bit of advice...to quote Morpheus, "welcome to the
desert of the real."
 
> 1. Would an exploit like this be said to be severe? 

Perhaps.  What is the real risk of destroying
configuration files, if backups are being made?
 
> 2. Is the vendor right in their approach to this
> issue?

They seem to think so.  

> 3. How do I make public the vulnerability? (Vendor
> has given permission for the same) 

Uhm..."mailto:full-disclosure@xxxxxxxxxxxxxxxx";??? 
(did I miss something obvious in your question?)

> 4. Ok, I'll rather ask... *should* I make public
> details of this
> vulnerability? (Since I know of sites using this app
> server, and they may be
> taken down if the exploit goes out)

Well, since you know of the sites, maybe you could
start by going to those folks and explaining the issue
to them...what happens, what's the effect, and how to
protect against.  If the vendor isn't dealing w/ it in
(in your opinion) a timely manner, or isn't dealing w/
it in the way you think they should, then releasing it
to the public (since, as you say, they've given their
permission) might be a way to go.  Or maybe first
releasing it to the folks using the product, and
telling them that on such-and-such a date you're going
to release it to the general public...that might be
another option.

One trap you have to avoid falling into is coming
across sounding like a nut.  If you decide to publish
this vulnerability to the general public, understand
that putting things like "shout outs to my peeps" and
"f*ck you's" in the posting will very likely reduce
your overall credibility.

Also, think carefully about this situation.  Are you
angry (you did type "grrrr" at one point) b/c the
vendor isn't responding in the manner that *you* think
they should?  After all, according to your own post,
they've been aware of the vulnerability for a while,
and haven't dealt with it to your
satisfaction...which, unless you've been under a rock
for the past 5 yrs, is nothing new.  Maybe the vendor
knows about it, but hasn't taken what *you* would
consider to be adequate action b/c they haven't
received any (or that many) reports from customers
about this situation.  When you're dealing w/ a
company like the one you're talking about, what they
focus on at any given time is driven by economics.

You don't want to come across as someone who's upset
b/c you found your first vulnerability and you don't
think the vendor is taking it as seriously as you
think they should.  



MASTEK
"Making a valuable difference"
Mastek in NASSCOM's 'India Top 20' Software Service Exporters List.
In the US, we're called MAJESCO

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Opinions expressed in this e-mail are those of the individual and not that of 
Mastek Limited, unless specifically indicated to that effect. Mastek Limited 
does not accept any responsibility or liability for it. This e-mail and 
attachments (if any) transmitted with it are confidential and/or privileged and 
solely for the use of the intended person or entity to which it is addressed. 
Any review, re-transmission, dissemination or other use of or taking of any 
action in reliance upon this information by persons or entities other than the 
intended recipient is prohibited. This e-mail and its attachments have been 
scanned for the presence of computer viruses. It is the responsibility of the 
recipient to run the virus check on e-mails and attachments before opening 
them. If you have received this e-mail in error, kindly delete this e-mail from 
all computers.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [Full-Disclosure] Vendor casual towards vulnerability found in product
  - From: Harlan Carvey

Prev by Date: Re: [Full-Disclosure] Re: Cisco's stolen code
Next by Date: Re: [Full-Disclosure] Cisco's stolen code
Previous by thread: [Full-Disclosure] Re: Msg reply
Next by thread: RE: [Full-Disclosure] Vendor casual towards vulnerability found in product
Index(es):
- Date
- Thread