Upfront, Like to recognize that ISS has been doing a great job at finding very critical but obscure vulnerabilities in popular services. I'm guessing that there has been alot of other security experts that have audited the source code of Bind, SSH, etc and overlooked the discrepencies that ISS picks up on. Russ Cooper, the Surgeon General of TruSecure, blasted ISS publicly on the Symantec Bugtraq mailing list with an opinion on how ISS is irresponsible for not working with the ISC to properly patch Bind and how they unethically updated their own products. http://online.securityfocus.com/archive/1/299751/2002-11-11/2002-11-17/0 Here's updated information that clears up whether ISS was acting responsible and properly gave notice to the ISC BIND organization. Maybe Russ should give ISS an apology for jumping to conclusions without waiting for facts. http://developers.slashdot.org/comments.pl?sid=44855&threshold=-1&commentsort=0&tid=172&mode=thread&cid=4653012 Re:Did ISS tell bind maintainers? ISS and ISC worked together on this. ISS found the vulns, ISC worked with the vendors, and both of us worked with CERT and coordinated the announcements. Paul Vixie Chairman, ISC Re:Did ISS tell bind maintainers? by Florian Weimer (fw@deneb.enyo.de) on Tuesday November 12, @06:43PM (#4655265) (User #88405 Info | http://www.enyo.de/fw/) Does anyone know if ISS did the right thing, or are they being big doo-doo-heads? In this case, ISS did not rush ahead. This was a coordinated release. Of course, something went horribly wrong, but I don't think ISS is to blame for it (maybe they could have warned ISC that their approach wouldn't work out, though). http://online.securityfocus.com/archive/1/299873/2002-11-11/2002-11-17/0 Subject: Re: Bind 8 bug experience Date: Nov 14 2002 2:41PM Author: Olaf Kirch <okir@suse.de> On Wed, Nov 13, 2002 at 12:04:31PM -0800, Jeremy C. Reed wrote: > But I see the patches were made October 30 (if the dates are reliable). In fact I believe ISC have been sitting on this for almost a month. The CVE IDs were assigned October 16, and I have reason to believe that they learned of this no later than October 23. Members of BIND Forum were notified last week, from what I'm told. In my opinion, the main reason for ISC to use this method of distributing the patches rather than going through established channels (such as CERT) was to be able to convince software vendors and other bodies using/distributing BIND to become a member of BIND forum. I don't know if that worked out, but I have my doubts. >From my experience of the past two days, I believe they did not expect there to be such a demand for the patches... ** My Own Msg below To Russ ** Regarding Russ Cooper trying to shoot the messenger, where ISS has reported BIND vulnerabilities, I have not seen any evidence of ISS acting irresponsible. It appears they have worked with the vendor to develop patches and a fix. On ISC Bind's website, they thank ISS in many places. ISS's advisory recommended several work-arounds as well. They did not release any exploit code or demonstration code. Their security advisory is very benign compared to many other posts on Bugtraq. I don't understand Russ accusing ISS of violating the code ethics of vulnerability disclosure by updating their own security products against the vulnerabilities. It would seem ridiculous if they DIDN'T update their products when they find vulnerabilities. I would hope any security company who found vulnerabilities would update their products as quickly as possible. IMHO, If ISS finds a vulnerability, they should update their products while the vendor fixes their products. If TruSecure, Russ Cooper's employer, ever found a vulnerability, I would expect them to update their products also. When's the last time TruSecure spent any R&D Money finding vulnerabilities and released an advisory? Atleast ISS is helping find these vulnerabilities, working with the vendors to correct, and if they want to update their products and make money off of it, so be it. We still do live in a capitalistic society. ISS, Bindview, Foundstone, and any other security company that finds holes and updates its products for these new vulnerabilities will make their customers' more protected; I think that is why they are in business and that's why they invest in finding vulnerabilities and fixing them. In the end, I'd rather have a security company find the vulnerabilities and work with the vendor to fix, then to stay in the dark and let the holes stay open for intruders to exploit. --- Mark Sala System Admin __________________________________________________ Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com
