Re: Napster, Inc. response to Colten Edwards

[Dylan_G () BIGFOOT COM (Dylan Griffiths)]

Jordan Ritter <jpr5 () napster com> wrote:
>     Approximately one hour after receiving the post from BugTraq,
>     Napster's servers were patched to prevent this from occurring.
>     Users of the Napster Win32 client software are NOT vulnerable.

As long as the client has a buffer overflow, it is vulnerable.  OpenNAP
servers ( http://opennap.sourceforge.net/ ), for example, are an unknown
because has checked to see if they do sanity checking on the messages they
pass for clients.  Any one using Win32 Napter on any non-Napster server is
potentially vulnerable.

Additionally, it could be possible for the other client to overflow another
part of the client.  Has the code been audited?  It doesn't seem it has
been, so this claim is unfounded.

Please audit your code, and then inform the public of a truly safe build.

>     This situation is particularly disturbing to us, as Mr. Edwards'
>     malicious intent becomes painfully obvious from the tone and
>     candor of his post.  To the best of our knowledge, the general
>     policy on BugTraq is that vendors should be notified of issues and
>     given a reasonable amount of time to address the problem, so as to
>     avoid unnecessary risk to the vendor's customers.  A meaningful

To the best of my knowledge, Elias Levy moderates into the list any mails
pertaining to a security issue in a product, such as an overflow in as
Napster, which is in fairly wide-spread usage.  There are no guarantees of
service for companies who want a "breather" period.  If you wish to stay
abreast of these security issues, subscribe to Bugtraq like everyone else.
I'd also suggest, as you work with the Win32 platform, that you subscribe to
NTBugtraq as well, as they tend to carry the more esoteric Win32 security
issues.

--
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me
spread!