mailing list archives
Re: Cisco PIX Firewall (smtp content filtering hack)
From: "Jeffrey W. Baker" <jwbaker () ACM ORG>
Date: Wed, 20 Sep 2000 09:46:58 -0700
On Tue, 19 Sep 2000, Lisa Napier wrote:
We have been working for some time to repair this defect. We have a
planned advisory to be posted next week. We do not yet have fixed code to
address this issue, but expect to shortly -- this is what typically holds
up the advisory process, ensuring that we have a solution to the problem
Unfortunately this posting does not provide a workaround, nor any real
assistance to customers attempting to protect themselves.
We really appreciate prior notification. We do work to get vulnerabilities
fixed, and in fact were already working diligently on this one.
As a Cisco customer, I personally prefer to get notification as soon as
possible. Cisco has known about this bug, but they haven't notified their
customers. That is an example of stinky corporate non-ethics at
work. We should be notified instantly whenever new security
vulnerabilities are discovered. We always have one recourse and
workaround, which is to decommission our Pix firewalls until things are
fixed. Of course, this isn't Cisco's preference, so they choose instead
to leave their customers in the field with equipment that has security
problems which are certain to be discovered by a third party and possibly
exploited. I think this scenario has mostly played out in this case.
I wish vendors would get a clue and realize that their customers need
secuity information RIGHT NOW, not when a fix is available. We must be
able to assess our own security situation and take action based on the
known risks. If we don't know about the risks, we can't assess them.