Home page logo

bugtraq logo Bugtraq mailing list archives

Re: BUGTRAQ] vulnerability in Connection Manager Control binary in
From: Chris Calabrese <chris_calabrese () YAHOO COM>
Date: Tue, 21 Nov 2000 10:27:43 -0800

Go through your Oracle installation and remove the
setuid bit on all those little helper applications
that you don't use. Don't wait for someone to tell
you that one of them is exploitable.

I couldn't agree more.  Unfortunately, this ends up as
a political issue rather than a technical one in many
cases.  Yes, this is a very bad thing.  It's also all
too common.

[Rant deleted]

I also agree that vendors need to make a more
concerted effort to actually respond to security
issues rather than just sweeping them under the rug.
The good news is that they are getting better.  And
much of this is thanks to pressure from the security
community.  On the other hand, releasing exploit code
before the vendor even has a chance to produce a patch
and without including a definitive and well-tested
work-around is making the problem worse not better.

In my opinion, the responsible thing to do is to
present the vendor with a time-line of when you'll
disclose if they don't do it first.  Here's a (made
up) example.

  Dear vendor,

  I've discovered a huge security hole in product X.
Details below.  You should be aware that I am an
advocate of full disclosure and intend to disclose the
issue to Bugtraq if you do not respond within N1 days,
do not disclose the issue yourself (giving credit to
me, of course) within N2 days, or do not produce a
patch within N3 days.

  Thank you...

This way, you still get the credit you deserve for
discovering the problem, the vendor knows that you
intend to disclose and can react accordingly, and, if
the vendor reacts reasonably, you don't make the
problem worse by letting the cat out of the bag

Ok, that's enough on this issue.  Let's get back to
the real work of making the world a better place ;-)

Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.

  By Date           By Thread  

Current thread:
  • Re: BUGTRAQ] vulnerability in Connection Manager Control binary in Chris Calabrese (Nov 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]