> 1) Our policy for publishing advisories is to give a vendor 30 to 45 > day quiet period to provide an opportunity to create a patch or work around. > If an exploit for the vulnerability appears in the wild, or a patch and > work-around is provided by the vendor or ISS X-Force, this quiet period is > disregarded and the ISS X-Force advisory is published immediately. > > In the case of this advisory, ISS X-Force provided an Apache patch and did > not see a need for a long quiet period. > 2) The original ISS X-Force Apache Patch did work properly against the > specific vulnerability described by X-Force, despite claims that it did not. > The Apache and CERT advisories on their websites have been corrected to > reflect this. If you confirm things with the vendor first, you won't have the kind of confusion that ensued. When WebInspect users called me asking what we meant by "the patch supplied by ISS is disputed by the Apache Software Foundation" I had to explain to them that basically they had the choice of shutting down their production servers or deciding to trust a patch that wasn't confirmed by Apache. I'm sure many other security professionals and system administrators had similar experiences. > 3) ISS was not aware of other researchers discovering this > vulnerability nor aware of it in the wild at the time of the release of the > advisory. > 5) The Gobbles' exploit has confirmed our decision to release as soon > as possible based on our assumption that others were likely to discover the > same vulnerability in the wild. Did you assume that other people had discovered this or not? Playing this "Well, we had no PROOF that is was known but we ASSUMED that it did so we can behave in whatever way we want and justify it with either one" game is silly. > 6) We do not view this as a race to beat other researchers to releasing > an advisory, but a race to protect our customers in a timely manner. Chris Rouland's statements to CNN (http://www.cnn.com/2002/TECH/industry/06/18/computer.security.ap/index.html ) make me doubt this: "Complicating the matter, Rouland said he didn't trust Cox, who along with his Apache duties is the senior director of engineering at Red Hat Software, which distributes the Linux operating system. Rouland accused Red Hat of taking credit for earlier ISS research. " This is clearly simple, petty jealousy before responsibility. You want credit just like everyone else does, of course, but come on... And Apache did give proper credit after all. (http://httpd.apache.org/info/security_bulletin_20020620.txt) > Due to the general nature of open-source and its openness, the virtual > organizations behind the projects do not have an ability to enforce strict > confidentiality. By notifying the open source project, its nature is that > the information is quickly spread in the wild disregarding any type of quiet > period. ISS X-Force minimizes the quiet period and delay of protecting > customers by providing a security patch. This is obviously ridiculous. It sounds like something Microsoft would say in one of their FUD campaigns. This gist here is that open-source software projects are inherently incapable of confidentiality in dealing with sensitive issues. I suppose all of the Apache users in the world would have instantly known if you had sent an email to the lead developers? Throwing out garbage terminology like "virtual organizations" is marketting and business talk that doesn't belong on Bugtraq. I know just as well as anyone else reading this list that any organization is made up of people and people can be dealt with like people. If the group of people that had known about the issue had gotten large enough that it spread to someone that developed an exploit using this new information and the exploit in turn began to spread and was being used in the wild, you could've released the advisory THEN. But X-Force didn't even bother. In any case, the WORST that would've happened is that a whole bunch of people would've found out about the vulnerability before there was a known and confirmed patch available-- which was exactly what happened when X-Force DIDN'T notify Apache. If your above theory held water (and assuming Mark Cox wasn't lying) we all would've known about the vulnerability before three days ago because it was previously reported. Clinging to that argument after the fact is absurd. Kevin Spett SPI Dynamics, Inc. http://www.spidynamics.com
