Re: ISS Advisory clarification

[security curmudgeon <jericho () attrition org>]

> Quick clarification on several points based on emails that I've received:
>
> 1)      We did notify Apache before going public.  ISS X-Force emailed
> Apache in the morning at 9:44am regarding this Advisory.  We waited until
> the afternoon before sending to Bugtraq for approval and finally reaching
> the Bugtraq mailing list archive at approximately Jun 17 2002 3:57PM.

Technically.. but a few hours is a far cry from 30 days.

> 3)      ISS X-Force patch did work against the remote exploit that we found
> and it did address the Gobbles exploit.  While our patch did properly work
> against the remote exploits, we recommend using the official Apache patch.
> Apache's updated patch includes fixes for the remote exploit and denial of
> service attacks. 

from the ISS bugtraq post:
Apache 1.x for Unix contains the same source code, but X-Force believes
that successful exploitation on most Unix platforms is unlikely. 

http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20524
ISS X-Force has learned that a functional remote Apache HTTP Server
exploit has been released. This exploit may have been in use in the
underground for some time. 

Fact is, ISS was dead wrong about the ability of it being exploited.  Why? 
Is Gobbles that much better than ISS or did ISS rush this out for some
reason?

> 4) While the general nature of open-source and its virtual
> organizations do have enforcement of strict confidentiality issues, this is
> not true for every single open-source project.  This is based on the past
> experience.  We have seen where open-source projects spread information
> immediately in the wild and we have seen some that are organized to maintain
> confidentiality.  ISS X-Force deals with all vendors on a case-by-case basis
> to provide maximum protection for our customers and the community.

http://www.microsoft.com/TechNet/columns/security/essays/noarch.asp
Most of the security community already follows common-sense rules that
ensure that security vulnerabilities are handled appropriately.  When they
find a security vulnerability, they inform the vendor and work with it
while the patch is being developed. 

http://www.infosecuritymag.com/articles/december01/departments_news.shtml
Under the proposal, coalition members would have a 30-day grace period to
disclose vulnerabilities with law enforcement agencies, government
agencies and their trusted client. In theory, this will give software
vendors a head start in correcting the problem before anyone knows it
exists.

So far, Microsoft has drafted the support of BindView (www.bindview.com),
Foundstone (www.foundstone.com), Guardent (www.guardent.com), @stake
(www.atstake.com) and Internet Security Systems (www.iss.net).


Odd...