Full Disclosure mailing list archives

iDefense: Solution or Problem?

From: <idefense () hushmail com>
Date: Tue, 13 Jul 2004 13:53:01 -0700

Hash: SHA1

Michael, you claim that this is a typo, but is it really? Even if this
is a typo, how do you explain waiting over a month to contact the vendor?
How do you explain past times when iDefense waited over a year to notify
a vendor? How does this relate to the iDefense disclosure policy?

iDEFENSE will responsibly inform vendors as soon as possible after having
learned of a problem with their product(s) or service(s).

Note: ".. will responsibly inform vendors as soon as possible after having
learned of a problem". There is absolutely no debating that this is pure
marketing fluff and not how iDefense operates. Look at their history
of vulnerability disclosure and their timelines for proof. The real question
becomes, just how unethical and how greedy iDefense really is! Further,

 are they now rewriting history to desperately protect their already
dark image? Witness:

Adobe Reader 6.0 Filename Handler Buffer Overflow Vulnerability
02/02/2003 Exploit discovered by iDEFENSE
03/11/2004 Initial vendor notification

Did iDefense sit on this vulnerability for 17 months? Shortly before
or after Cary Barker pointed this out on Full-Disclosure
(http://seclists.org/lists/fulldisclosure/2004/Jul/0585.html), iDefense
seems to have had a change of heart!

02/02/2004  Exploit discovered by iDEFENSE
03/11/2004  Initial vendor notification

The first and understandable reaction (excuse) would be "iDefense had
a typo", but once again, digging into their past vulnerabilities, is
that really the case?! Even if THIS advisory had a typo, how about some
others this year?!

04/03/2003  Vulnerability acquired by iDEFENSE
07/08/2004  Public disclosure

04/05/03  Vulnerability acquired by iDEFENSE
05/17/04  Public disclosure

April 2, 2003   Exploit acquired by iDEFENSE
May 12, 2004    Coordinated public disclosure

Sitting on vulnerabilities for a year before notifying the vendors is
not what 'white hat' hackers do. These aren't the actions of a reputable
security company. Combine this with the fact you sell this information
to people in foreign companies and governments, including some that are
"harboring terrorists" (according to our government) makes your actions
potentially criminal. What, you haven't checked your client list carefully?
Selling vulnerability information to terrorist nations isn't very friendly
to the US!

Looking back at your 2004 advisories (and some in 2003), could anyone
at iDefense explain how their responsible disclosure policy applies?
Here is a general idea of their disclosure process and time frames:

Advisory  Discovery  Publish    Vend Notify  Publish Time
07.12.04  03-02-02   04-07-12   13 mo  7 d   17 mo 10 d
07.09.04  04-06-29   04-07-09          7 d         10 d
07.08.04  03-04-03   04-07-08   14 mo 26 d   15 mo  5 d
07.01.04  03-09-27   04-07-01    8 mo  7 d    9 mo  4 d
06.23.04  04-04-21   04-06-23         14 d    2 mo  2 d
06.21.04  04-02-26   04-06-21    3 mo 13 d    3 mo 25 d
06.10.04  04-04-14   04-06-10         28 d    1 mo 26 d
06.08.04  04-04-27   04-06-07         22 d    1 mo 10 d
06.07.04  03-04-05   04-05-17   13 mo  2 d   13 mo 12 d
05.27.04  04-02-18   04-05-27         20 d    3 mo  9 d
05.26.04  04-02-18   04-05-26         20 d    3 mo  8 d
05.12.04  03-04-02   04-05-12   12 mo  5 d   13 mo 10 d
04.15.04  03-12-08   04-04-15    1 mo 16 d    5 mo  7 d
04.14.04  04-01-09   04-04-14    1 mo 11 d    3 mo  5 d
04.13.04  04-01-12   04-04-13          5 d    2 mo 24 d
04.05.04  04-01-09   04-04-05    1 mo 16 d    2 mo 26 d
03.19.04  04-01-13   04-03-19         24 d    2 mo  5 d
03.09.04  03-10-10   04-03-11    1 mo  2 d    5 mo  1 d
03.02.04  04-01-22   04-03-02         25 d    1 mo 10 d
02.27.04  04-01-13   04-02-27         26 d    1 mo 14 d
02.27.04  04-02-04   04-02-27          6 d         23 d
02.23.04  03-12-08   04-02-23    1 mo 21 d    2 mo 15 d
02.17.04  03-10-31   04-02-17    4 mo  2 d    4 mo 19 d
02.12.04  04-02-09   04-02-12          0 d          3 d
02.10.04  04-01-09   04-02-10         24 d    1 mo  1 d
02.04.04  03-12-08   04-02-02    1 mo 21 d    1 mo 24 d
09.25.03  03-02-25   ?           8 mo  0 d    ?
07.29.03  03-04-20   03-07-29    2 mo 11 d    3 mo  9 d
07.01.03  03-03-11   03-07-01    3 mo  0 d    3 mo 19 d
05.22.03  02-12-31   03-05-22    4 mo 17 d    5 mo 22 d
02.12.03  02-10-31   03-02-12    2 mo 29 d    3 mo 13 d
02.03.03  02-01-11   03-02-10   12 mo  9 d   12 mo 29 d

"iDEFENSE will responsibly inform vendors as soon as possible after having
learned of a problem with their product(s) or service(s)."

Five different times, iDefense sat on a vulnerability for OVER A YEAR.
They routinely wait one or more months to notify the vendor. Is that
"as soon as possible"? Of course not, that would hurt the bottom line.

Dark Elf


07.12.04 - Adobe Reader 6.0 Filename Handler Buffer Overflow Vulnerability
02/02/2004  Exploit discovered by iDEFENSE
03/11/2004  Initial vendor notification
03/11/2004  Initial vendor response
03/11/2004  iDEFENSE clients notified
06/07/2004  Vendor update released
07/12/2004  Public Disclosure
* original full-disc post listed 02/02/2003 discovery date

07.09.04 - wvWare Library Buffer Overflow Vulnerability
06/29/2004  Initial vendor contact
07/06/2004  Vendor response
07/09/2004  Public disclosure

07.08.04 - SSLTelnet Remote Format String Vulnerability
04/03/2003  Vulnerability acquired by iDEFENSE
06/29/2004  Initial vendor contact
07/02/2004  Secondary vendor contact
07/08/2004  Public disclosure

07.01.04 - WinGate Information Disclosure Vulnerability
09/27/03  Exploit acquired by iDEFENSE
06/04/04  Initial vendor notification
06/10/04  Secondary vendor notification
06/21/04  iDEFENSE clients notified
06/23/04  Initial vendor response
07/01/04  Public Disclosure

06.23.04 - Lotus Notes URI Handler Argument Injection Vulnerability
04/21/2004  Exploit acquired by iDEFENSE
05/05/2004  iDEFENSE clients notified
05/05/2004  Initial vendor notification
05/07/2004  Initial vendor response
06/23/2004  Public disclosure

06.21.04 - GNU Radius SNMP Invalid OID Denial of Service Vulnerability
02/26/04  Issue acquired by iDEFENSE
06/09/04  Initial vendor contact
06/09/04  iDEFENSE clients notified
06/21/04  Public disclosure

06.10.04 - Real Networks RealPlayer URL Parsing Buffer Overflow Vulnerability
04/14/2004      Exploit discovered by iDEFENSE
05/12/2004      Initial vendor notification
05/12/2004      iDEFENSE clients notified
05/13/2004      Vendor response
06/10/2004      Coordinated public disclosure

06.08.04 - Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow
04/27/04 Exploit acquired by iDEFENSE
05/19/04 iDEFENSE Clients notified
05/20/04 Initial vendor notification
05/20/04 Initial vendor response
06/07/04 Public Disclosure

06.07.04 - PHP Win32 escapeshellcmd() and escapeshellarg() Input Validation
04/05/03  Vulnerability acquired by iDEFENSE
05/07/04  iDEFENSE clients notified
05/07/04  Initial vendor notification
05/17/04  Initial vendor response
05/17/04  Public disclosure

05.27.04 - 3Com OfficeConnect Remote 812 ADSL Router Authentication Bypass
02/18/04 Exploit acquired by iDEFENSE
03/08/04 iDEFENSE Clients notified
03/11/04 Initial vendor notification - no response
03/30/04 Secondary vendor notification - no response
05/27/04 Public Disclosure

05.26.04 - 3Com OfficeConnect Remote 812 ADSL Router Telnet Protocol
DoS Vulnerability
02/18/04 Exploit acquired by iDEFENSE
03/08/04 iDEFENSE Clients notified
03/11/04 Initial vendor notification - no response
03/30/04 Secondary vendor notification - no response
05/26/04 Public Disclosure

05.12.04 - Opera Telnet URI Handler File Creation/Truncation Vulnerability
April 2, 2003   Exploit acquired by iDEFENSE
April 7, 2004   Initial vendor notification
April 7, 2004   iDEFENSE clients notified
April 14, 2004  Initial vendor response
May 12, 2004    Coordinated public disclosure

09.25.03 - Sambar Server Multiple Vulnerabilities
February 25, 2003  Exploit acquired by iDEFENSE
September 25, 2003 Initial vendor notification
September 25, 2003 Vendor response

04.15.04 - RealNetworks Helix Universal Server Denial of Service Vulnerability
December 8, 2003        Exploit acquired by iDEFENSE
January 24, 2004        iDEFENSE clients notified
January 26, 2004        Initial vendor notification
April 15, 2004          Public disclosure

04.14.04 - Buffer Overflow in ISO9660 File System Component of Linux
January 9, 2004         Exploit acquired by iDEFENSE
February 20, 2004       Initial vendor notification
February 20, 2004       iDEFENSE clients notified
April 14, 2004          Coordinated public disclosure

04.13.04 - Microsoft Help and Support Center Argument Injection Vulnerability
[prior]                 Exploit disclosed to vendor by contributor
January 12, 2004        Exploit acquired by iDEFENSE
January 12, 2004        iDEFENSE clients notified
January 19, 2004        iDEFENSE Initial contact with vendor
January 23, 2004        Initial vendor reply
April 13, 2004          Coordinated public disclosure

04.05.04 - Perl win32_stat Function Buffer Overflow Vulnerability
January 09, 2004        Vulnerability discovered by iDEFENSE
February 25, 2004       Initial vendor contact
February 26, 2004       iDEFENSE clients notified
February 26, 2004       Vendor response
April 05, 2004          Public disclosure

03.19.04 - Borland Interbase admin.ib Administrative Access Vulnerability
January 13, 2004         Vulnerability acquired by iDEFENSE
February 9, 2004         Initial vendor notification sent - no response
February 12, 2004        iDEFENSE clients notified
March 1, 2004            Secondary vendor notification sent - no response
March 19, 2004           Public disclosure

03.09.04 - Microsoft Outlook "mailto:"; Parameter Passing Vulnerability
October 10, 2003        Vulnerability acquired by iDEFENSE
November 12, 2003       Initial vendor notification
November 12, 2003       Initial vendor response
November 21, 2003       iDEFENSE clients notified
March 09, 2004          Coordinated public disclosure
March 11, 2004          Updated advisory

03.02.04 - FreeBSD Memory Buffer Exhaustion Denial of Service Vulnerability
January 22, 2004        Exploit acquired by iDEFENSE
February 17, 2004       iDEFENSE clients notified
February 18, 2004       Initial vendor notification
February 18, 2004       Initial vendor response
March 02, 2004          Coordinated public disclosure

02.27.04 - WinZip MIME Parsing Buffer Overflow Vulnerability
January 13, 2004        Vulnerability acquired by iDEFENSE
February 9, 2004        Initial vendor notification
February 9, 2004        Initial vendor response
February 10, 2004       iDEFENSE clients notified
February 27, 2004       Coordinated public disclosure

02.27.04 - Microsoft Internet Explorer Cross Frame Scripting Restriction
February 4, 2004         Vulnerability acquired by iDEFENSE
February 10 2004         Initial vendor notification
February 10 2004         Initial vendor response
February 11, 2004        iDEFENSE clients notified
February 27, 2004        Public disclosure

02.23.04 - Darwin Streaming Server Remote Denial of Service Vulnerability
December 8, 2003         Exploit acquired by iDEFENSE
January 29, 2004         iDEFENSE clients notified
January 29, 2004         Initial vendor notification
January 29, 2004         Vendor response received
February 23, 2004        Coordinated public disclosure

02.17.04 - Ipswitch IMail LDAP Daemon Remote Buffer Overflow
October 31, 2003        Exploit acquired by iDEFENSE
February 2, 2004        Initial vendor notification
February 3, 2004        iDEFENSE clients notified
February 3, 2004        Vendor response received
February 17, 2004       Coordinated public disclosure

02.12.04 - XFree86 Font Information File Buffer Overflow II
February 9, 2004        Exploit acquired by iDEFENSE
February 9, 2004        Initial vendor notification
February 9, 2004        Response received from David Dawes at XFree86.org
February 10, 2004       iDEFENSE Clients notified
February 12, 2004       Public disclosure

02.10.04 - XFree86 Font Information File Buffer Overflow
January 9, 2004         Exploit acquired by iDEFENSE
February 3, 2004        Vendor notified
February 3, 2004        Response received from David Dawes at XFree86.org
February 4, 2004        iDEFENSE clients notified
February 10, 2004       Public disclosure

02.04.04 - GNU Radius Remote Denial of Service Vulnerability
December 8, 2003        Vulnerability acquired by iDEFENSE
January 29, 2004        Initial vendor notification sent
January 29, 2004        iDEFENSE clients notified
February 2, 2004        Response received from Sergey Poznyakoff of GNU Radius
February 2, 2004        Public disclosure on the bug-gnu-radius () gnu org mailing
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4


Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger

Promote security and make money with the Hushmail Affiliate Program: 

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread: