Bugtraq mailing list archives
Re: Cisco PIX Firewall (smtp content filtering hack)
From: "Deus, Attonbitus" <Thor () HAMMEROFGOD COM>
Date: Thu, 21 Sep 2000 10:58:40 -0700
As a Cisco customer, I personally prefer to get notification as soon as possible. Cisco has known about this bug, but they haven't notified their customers. That is an example of stinky corporate non-ethics at work. We should be notified instantly whenever new security vulnerabilities are discovered.
I certainly understand the individual want for such information: it affords the intelligent and competent admin a choice in interim fixes or temporary policy changes. However, it makes for poor risk management at the global level. The potential for malicious abuse is far greater when exploits that have no patch are made available to the general public.
Of course, this isn't Cisco's preference, so they choose instead to leave their customers in the field with equipment that has security problems which are certain to be discovered by a third party and possibly exploited.
They are not certain to be discovered- not individually and without foreknowledge, anyway. The probability exists, of course, but it is not likely. But here in lies the basis of the full disclosure game of chess. Though there are vendors who will only release vulnerabilities and patches against holes when they are forced to, there are also responsible and concerned vendors who work diligently to not only quickly patch such issues, but to look for interim fixes in the meantime. Cisco and Microsoft are good examples of the latter. When working with such companies, it is always better to go directly to the vendor and work to provide a solution without going to full disclosure, and to release the kb with an associated solution. When ego and self publication are obviated, timely and thorough solutions are propagated. People like Weld Pond and Rain Forest Puppy know this and practice this; that (in addition to superior intellect) is what makes them, and others like them, respected in the industry. You and I (along with thousands of others) now know about this vulnerability. We would not have discovered it on our own, but we now know what it does and how to use it against others if we chose to do so. Had the issued been taken directly to Cisco and kept under hat, even if it took months, then we all would have been far safer. ---------------------------------------------------- Attonbitus Deus thor () hammerofgod com ----- Original Message ----- From: "Jeffrey W. Baker" <jwbaker () ACM ORG> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Wednesday, September 20, 2000 9:46 AM Subject: Re: Cisco PIX Firewall (smtp content filtering hack)
Current thread:
- Cisco PIX Firewall (smtp content filtering hack) naif (Sep 19)
- Re: Cisco PIX Firewall (smtp content filtering hack) Lisa Napier (Sep 20)
- Re: Cisco PIX Firewall (smtp content filtering hack) Jeffrey W. Baker (Sep 21)
- Re: Cisco PIX Firewall (smtp content filtering hack) Deus, Attonbitus (Sep 21)
- Re: Cisco PIX Firewall (smtp content filtering hack) Signal 11 (Sep 22)
- Re: Cisco PIX Firewall (smtp content filtering hack) Jeffrey W. Baker (Sep 21)
- Re: Cisco PIX Firewall (smtp content filtering hack) - Version 4.2(1) not exploitable Leandro Dardini (Sep 20)
- Re: Cisco PIX Firewall (smtp content filtering hack) - Version 4.2(1) not exploitable Fabio Pietrosanti (naif) (Sep 20)
- Re: Cisco PIX Firewall (smtp content filtering hack) Ioannis Migadakis (Sep 21)
- Re: Cisco PIX Firewall (smtp content filtering hack) Lisa Napier (Sep 20)