mailing list archives
Re: ISS Advisory clarification
From: security curmudgeon <jericho () attrition org>
Date: Fri, 21 Jun 2002 19:30:29 -0400 (EDT)
Quick clarification on several points based on emails that I've received:
1) We did notify Apache before going public. ISS X-Force emailed
Apache in the morning at 9:44am regarding this Advisory. We waited until
the afternoon before sending to Bugtraq for approval and finally reaching
the Bugtraq mailing list archive at approximately Jun 17 2002 3:57PM.
Technically.. but a few hours is a far cry from 30 days.
3) ISS X-Force patch did work against the remote exploit that we found
and it did address the Gobbles exploit. While our patch did properly work
against the remote exploits, we recommend using the official Apache patch.
Apache's updated patch includes fixes for the remote exploit and denial of
from the ISS bugtraq post:
Apache 1.x for Unix contains the same source code, but X-Force believes
that successful exploitation on most Unix platforms is unlikely.
ISS X-Force has learned that a functional remote Apache HTTP Server
exploit has been released. This exploit may have been in use in the
underground for some time.
Fact is, ISS was dead wrong about the ability of it being exploited. Why?
Is Gobbles that much better than ISS or did ISS rush this out for some
4) While the general nature of open-source and its virtual
organizations do have enforcement of strict confidentiality issues, this is
not true for every single open-source project. This is based on the past
experience. We have seen where open-source projects spread information
immediately in the wild and we have seen some that are organized to maintain
confidentiality. ISS X-Force deals with all vendors on a case-by-case basis
to provide maximum protection for our customers and the community.
Most of the security community already follows common-sense rules that
ensure that security vulnerabilities are handled appropriately. When they
find a security vulnerability, they inform the vendor and work with it
while the patch is being developed.
Under the proposal, coalition members would have a 30-day grace period to
disclose vulnerabilities with law enforcement agencies, government
agencies and their trusted client. In theory, this will give software
vendors a head start in correcting the problem before anyone knows it
So far, Microsoft has drafted the support of BindView (www.bindview.com),
Foundstone (www.foundstone.com), Guardent (www.guardent.com), @stake
(www.atstake.com) and Internet Security Systems (www.iss.net).
- ISS Advisory clarification Klaus, Chris (ISSAtlanta) (Jun 21)
- <Possible follow-ups>
- Re: ISS Advisory clarification security curmudgeon (Jun 21)