Re: n.runs, Sophos, German laws, and customer safety

[Oliver Karow <oliver.karow () gmx de>]

Hi Steven,

even if i do not support the new anti hacker law in germany, i don't see
any important issue in the inconsistence between the n.runs advisory and
the vendors statement in respect of the new law.

The most important message for the average customer, who is not able to
understand the difference between a DoS and a code execution, is to
install latest vendor patches. 

And those customers who know the difference between this two kind of
vulnerabilities, are aware of the fact that there is a high risk that a
simple DoS might become a code execution if better exploited, and should
also install latest vendor patches (or put any other preventive measure
in place).

In my mind the most important effect of the law is, that it will be
punished if someone uses or provides tools that are able to
discover/proof the existence of such vulnerabilities... but that's
another story....

Thanks,

Oliver




On Tue, 2007-08-28 at 13:00 -0400, Steven M. Christey wrote:
> The n.runs-SA-2007.027 advisory claims code execution through a UPX
> file.  This claim is inconsistent with the vendor's statement that
> it's only a "theoretical" DoS:
>
>   http://www.sophos.com/support/knowledgebase/article/28407.html
>
>   "A corrupt UPX file causes the virus engine to crash and Sophos
>   Anti-Virus to return 'unrecoverable error. leading to scanning being
>   terminated. It should not be a security threat although repeated
>   files could cause a denial of service."
>
> It is unfortunate that Germany's legal landscape prevents n.runs from
> providing conclusive evidence of their claim.  This directly affects
> Sophos customers who want to know whether it's "just a DoS" or not.
> Many in the research community know about n.runs and might believe
> their claim, but the typical customer does not know who they are
> (which is one reason why I think the Pwnies were a good idea).  So,
> many customers would be more likely to believe the vendor.  If the
> n.runs claim is true, then many customers might be less protected than
> they would if German laws did not have the chilling effect they are
> demonstrating.
>
> It should be noted that in 2000, a veritable Who's Who of computer
> security - including Bruce Schneier, Gene Spafford, Matt Bishop, Elias
> Levy, Alan Paller, and other well-known security professionals -
> published a statement of concern about the Council of Europe draft
> treaty on Crime in Cyberspace, which I believe was the predecessor to
> the legal changes that have been happening in Germany:
>
>   http://homes.cerias.purdue.edu/~spaf/coe/TREATY_LETTER.html
>
> Amongst many other things, this letter said:
>
>   "Signatory states passing legislation to implement the treaty may
>   endanger the security of their computer systems, because computer
>   users in those countries will not be able to adequately protect
>   their computer systems... legislation that criminalizes security
>   software development, distribution, and use is counter to that goal,
>   as it would adversely impact security practitioners, researchers,
>   and educators."
>
> If I recall correctly, we were assured by representatives that such an
> outcome would not occur.
>
> - Steve