Bugtraq mailing list archives

Re: SUN almost has a clue! (automountd)

From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Wed, 6 Jan 1999 08:47:58 -0500


At 01:41 PM 1/5/99 +0100, Andreas Bogk wrote:

On Mon, Jan 04, 1999 at 05:38:46PM -0800, Friedrichs, Oliver wrote:

It was never publicly noted, since the problem hasn't been fixed
yet (and as a security company, we aren't in the habit of
disclosing bugs which aren't fixed), however many people knew

And all the script kiddies out there are probably very grateful for
that. Experience shows that vendors don't move unless the bug is
disclosed.


This is not always the case, and I'm sure Oliver can confirm this.  I can
also give an example.  ISS and SNI both reported denial of service attacks
regarding malformed NetBIOS packets to Microsoft independently.  It turned
out that the problems we reported were in the same area.  Microsoft fixed
it promptly without the issue ever going public - it was the post-SP3 srv-fix.

This is consistent with my personal experiences with MS.  I have never once
had to take something public or threaten to do so to get something fixed,
and they have eventually fixed (or are currently trying to fix) nearly
everything I've reported.  I understand that other people have had
different experiences with the same company, so YMMV, and please do not
send me flames about your experiences (OTOH, if you have something you're
trying to get fixed, maybe I could help).

OTOH, another company told me I was a complete idiot when I reported an
issue, and didn't fix it until I posted the problem to the lists.  There
have been 2-3 subsequent reports of problems in their software, and I think
they are starting to get a clue.

I guess the bottom line here is that companies are all different (like
people), and the results you get might even have something to do with how
you treat them and your relationship with them.  I guess I just object
strongly to the blanket statement that "vendors don't move unless the bug
is disclosed".  That may be true of some vendors in some cases, but it is
_not_ true of all vendors in all cases.  I'd urge people to at least give
the vendor a chance to do the right thing - we're all better off with
well-tested fixes instead of rush jobs.


David LeBlanc
dleblanc () mindspring com

Current thread:

Re: SUN almost has a clue! (automountd) Friedrichs, Oliver (Jan 04)
- Re: SUN almost has a clue! (automountd) Andreas Bogk (Jan 05)
  - Re: SUN almost has a clue! (automountd) David LeBlanc (Jan 06)
- <Possible follow-ups>
- Re: SUN almost has a clue! (automountd) Scott (Jan 04)
  - Re: SUN almost has a clue! (automountd) Alan Cox (Jan 05)
- Re: SUN almost has a clue! (automountd) Michael Russell (Jan 05)
- Re: SUN almost has a clue! (automountd) der Mouse (Jan 05)
- Re: SUN almost has a clue! (automountd) Friedrichs, Oliver (Jan 05)
- Re: SUN almost has a clue! (automountd) Huger, Alfred (Jan 05)