Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

iDefense: Solution or Problem?
From: <idefense () hushmail com>
Date: Tue, 13 Jul 2004 13:53:01 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Michael, you claim that this is a typo, but is it really? Even if this
is a typo, how do you explain waiting over a month to contact the vendor?
How do you explain past times when iDefense waited over a year to notify
a vendor? How does this relate to the iDefense disclosure policy?

http://www.idefense.com/legal_disclosure.jsp
iDEFENSE will responsibly inform vendors as soon as possible after having
learned of a problem with their product(s) or service(s).

Note: ".. will responsibly inform vendors as soon as possible after having
learned of a problem". There is absolutely no debating that this is pure
marketing fluff and not how iDefense operates. Look at their history
of vulnerability disclosure and their timelines for proof. The real question
becomes, just how unethical and how greedy iDefense really is! Further,

 are they now rewriting history to desperately protect their already
dark image? Witness:

http://seclists.org/lists/fulldisclosure/2004/Jul/0574.html
Adobe Reader 6.0 Filename Handler Buffer Overflow Vulnerability
VII. DISCLOSURE TIMELINE
02/02/2003 Exploit discovered by iDEFENSE
03/11/2004 Initial vendor notification

Did iDefense sit on this vulnerability for 17 months? Shortly before
or after Cary Barker pointed this out on Full-Disclosure
(http://seclists.org/lists/fulldisclosure/2004/Jul/0585.html), iDefense
seems to have had a change of heart!

http://www.idefense.com/application/poi/display?id=116&type=vulnerabilities
02/02/2004  Exploit discovered by iDEFENSE
03/11/2004  Initial vendor notification

The first and understandable reaction (excuse) would be "iDefense had
a typo", but once again, digging into their past vulnerabilities, is
that really the case?! Even if THIS advisory had a typo, how about some
others this year?!

http://www.idefense.com/application/poi/display?id=114&type=vulnerabilities
04/03/2003  Vulnerability acquired by iDEFENSE
07/08/2004  Public disclosure

http://www.idefense.com/application/poi/display?id=108&type=vulnerabilities
04/05/03  Vulnerability acquired by iDEFENSE
05/17/04  Public disclosure

http://www.idefense.com/application/poi/display?id=104&type=vulnerabilities
April 2, 2003   Exploit acquired by iDEFENSE
May 12, 2004    Coordinated public disclosure

Sitting on vulnerabilities for a year before notifying the vendors is
not what 'white hat' hackers do. These aren't the actions of a reputable
security company. Combine this with the fact you sell this information
to people in foreign companies and governments, including some that are
"harboring terrorists" (according to our government) makes your actions
potentially criminal. What, you haven't checked your client list carefully?
Selling vulnerability information to terrorist nations isn't very friendly
to the US!

Looking back at your 2004 advisories (and some in 2003), could anyone
at iDefense explain how their responsible disclosure policy applies?
Here is a general idea of their disclosure process and time frames:

Advisory  Discovery  Publish    Vend Notify  Publish Time
07.12.04  03-02-02   04-07-12   13 mo  7 d   17 mo 10 d
07.09.04  04-06-29   04-07-09          7 d         10 d
07.08.04  03-04-03   04-07-08   14 mo 26 d   15 mo  5 d
07.01.04  03-09-27   04-07-01    8 mo  7 d    9 mo  4 d
06.23.04  04-04-21   04-06-23         14 d    2 mo  2 d
06.21.04  04-02-26   04-06-21    3 mo 13 d    3 mo 25 d
06.10.04  04-04-14   04-06-10         28 d    1 mo 26 d
06.08.04  04-04-27   04-06-07         22 d    1 mo 10 d
06.07.04  03-04-05   04-05-17   13 mo  2 d   13 mo 12 d
05.27.04  04-02-18   04-05-27         20 d    3 mo  9 d
05.26.04  04-02-18   04-05-26         20 d    3 mo  8 d
05.12.04  03-04-02   04-05-12   12 mo  5 d   13 mo 10 d
04.15.04  03-12-08   04-04-15    1 mo 16 d    5 mo  7 d
04.14.04  04-01-09   04-04-14    1 mo 11 d    3 mo  5 d
04.13.04  04-01-12   04-04-13          5 d    2 mo 24 d
04.05.04  04-01-09   04-04-05    1 mo 16 d    2 mo 26 d
03.19.04  04-01-13   04-03-19         24 d    2 mo  5 d
03.09.04  03-10-10   04-03-11    1 mo  2 d    5 mo  1 d
03.02.04  04-01-22   04-03-02         25 d    1 mo 10 d
02.27.04  04-01-13   04-02-27         26 d    1 mo 14 d
02.27.04  04-02-04   04-02-27          6 d         23 d
02.23.04  03-12-08   04-02-23    1 mo 21 d    2 mo 15 d
02.17.04  03-10-31   04-02-17    4 mo  2 d    4 mo 19 d
02.12.04  04-02-09   04-02-12          0 d          3 d
02.10.04  04-01-09   04-02-10         24 d    1 mo  1 d
02.04.04  03-12-08   04-02-02    1 mo 21 d    1 mo 24 d
09.25.03  03-02-25   ?           8 mo  0 d    ?
07.29.03  03-04-20   03-07-29    2 mo 11 d    3 mo  9 d
07.01.03  03-03-11   03-07-01    3 mo  0 d    3 mo 19 d
05.22.03  02-12-31   03-05-22    4 mo 17 d    5 mo 22 d
02.12.03  02-10-31   03-02-12    2 mo 29 d    3 mo 13 d
02.03.03  02-01-11   03-02-10   12 mo  9 d   12 mo 29 d

"iDEFENSE will responsibly inform vendors as soon as possible after having
learned of a problem with their product(s) or service(s)."

Five different times, iDefense sat on a vulnerability for OVER A YEAR.
They routinely wait one or more months to notify the vendor. Is that
"as soon as possible"? Of course not, that would hurt the bottom line.


Sincerely,
Dark Elf



References

07.12.04 - Adobe Reader 6.0 Filename Handler Buffer Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=116&type=vulnerabilities
02/02/2004  Exploit discovered by iDEFENSE
03/11/2004  Initial vendor notification
03/11/2004  Initial vendor response
03/11/2004  iDEFENSE clients notified
06/07/2004  Vendor update released
07/12/2004  Public Disclosure
* original full-disc post listed 02/02/2003 discovery date


07.09.04 - wvWare Library Buffer Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=115&type=vulnerabilities
06/29/2004  Initial vendor contact
07/06/2004  Vendor response
07/09/2004  Public disclosure


07.08.04 - SSLTelnet Remote Format String Vulnerability
http://www.idefense.com/application/poi/display?id=114&type=vulnerabilities
04/03/2003  Vulnerability acquired by iDEFENSE
06/29/2004  Initial vendor contact
07/02/2004  Secondary vendor contact
07/08/2004  Public disclosure


07.01.04 - WinGate Information Disclosure Vulnerability
http://www.idefense.com/application/poi/display?id=113&type=vulnerabilities
09/27/03  Exploit acquired by iDEFENSE
06/04/04  Initial vendor notification
06/10/04  Secondary vendor notification
06/21/04  iDEFENSE clients notified
06/23/04  Initial vendor response
07/01/04  Public Disclosure


06.23.04 - Lotus Notes URI Handler Argument Injection Vulnerability
http://www.idefense.com/application/poi/display?id=111&type=vulnerabilities
04/21/2004  Exploit acquired by iDEFENSE
05/05/2004  iDEFENSE clients notified
05/05/2004  Initial vendor notification
05/07/2004  Initial vendor response
06/23/2004  Public disclosure


06.21.04 - GNU Radius SNMP Invalid OID Denial of Service Vulnerability
http://www.idefense.com/application/poi/display?id=110&type=vulnerabilities
02/26/04  Issue acquired by iDEFENSE
06/09/04  Initial vendor contact
06/09/04  iDEFENSE clients notified
06/21/04  Public disclosure


06.10.04 - Real Networks RealPlayer URL Parsing Buffer Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=109&type=vulnerabilities
04/14/2004      Exploit discovered by iDEFENSE
05/12/2004      Initial vendor notification
05/12/2004      iDEFENSE clients notified
05/13/2004      Vendor response
06/10/2004      Coordinated public disclosure


06.08.04 - Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow
Vulnerability
http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities
04/27/04 Exploit acquired by iDEFENSE
05/19/04 iDEFENSE Clients notified
05/20/04 Initial vendor notification
05/20/04 Initial vendor response
06/07/04 Public Disclosure


06.07.04 - PHP Win32 escapeshellcmd() and escapeshellarg() Input Validation
Vulnerability
http://www.idefense.com/application/poi/display?id=108&type=vulnerabilities
04/05/03  Vulnerability acquired by iDEFENSE
05/07/04  iDEFENSE clients notified
05/07/04  Initial vendor notification
05/17/04  Initial vendor response
05/17/04  Public disclosure


05.27.04 - 3Com OfficeConnect Remote 812 ADSL Router Authentication Bypass
Vulnerability
http://www.idefense.com/application/poi/display?id=106&type=vulnerabilities
02/18/04 Exploit acquired by iDEFENSE
03/08/04 iDEFENSE Clients notified
03/11/04 Initial vendor notification - no response
03/30/04 Secondary vendor notification - no response
05/27/04 Public Disclosure


05.26.04 - 3Com OfficeConnect Remote 812 ADSL Router Telnet Protocol
DoS Vulnerability
http://www.idefense.com/application/poi/display?id=105&type=vulnerabilities
02/18/04 Exploit acquired by iDEFENSE
03/08/04 iDEFENSE Clients notified
03/11/04 Initial vendor notification - no response
03/30/04 Secondary vendor notification - no response
05/26/04 Public Disclosure


05.12.04 - Opera Telnet URI Handler File Creation/Truncation Vulnerability
http://www.idefense.com/application/poi/display?id=104&type=vulnerabilities
April 2, 2003   Exploit acquired by iDEFENSE
April 7, 2004   Initial vendor notification
April 7, 2004   iDEFENSE clients notified
April 14, 2004  Initial vendor response
May 12, 2004    Coordinated public disclosure


09.25.03 - Sambar Server Multiple Vulnerabilities
http://www.idefense.com/application/poi/display?id=103&type=vulnerabilities
February 25, 2003  Exploit acquired by iDEFENSE
September 25, 2003 Initial vendor notification
September 25, 2003 Vendor response


04.15.04 - RealNetworks Helix Universal Server Denial of Service Vulnerability
http://www.idefense.com/application/poi/display?id=102&type=vulnerabilities
December 8, 2003        Exploit acquired by iDEFENSE
January 24, 2004        iDEFENSE clients notified
January 26, 2004        Initial vendor notification
April 15, 2004          Public disclosure


04.14.04 - Buffer Overflow in ISO9660 File System Component of Linux
Kernel
http://www.idefense.com/application/poi/display?id=101&type=vulnerabilities
January 9, 2004         Exploit acquired by iDEFENSE
February 20, 2004       Initial vendor notification
February 20, 2004       iDEFENSE clients notified
April 14, 2004          Coordinated public disclosure


04.13.04 - Microsoft Help and Support Center Argument Injection Vulnerability
http://www.idefense.com/application/poi/display?id=100&type=vulnerabilities
[prior]                 Exploit disclosed to vendor by contributor
January 12, 2004        Exploit acquired by iDEFENSE
January 12, 2004        iDEFENSE clients notified
January 19, 2004        iDEFENSE Initial contact with vendor
January 23, 2004        Initial vendor reply
April 13, 2004          Coordinated public disclosure


04.05.04 - Perl win32_stat Function Buffer Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=93&type=vulnerabilities
January 09, 2004        Vulnerability discovered by iDEFENSE
February 25, 2004       Initial vendor contact
February 26, 2004       iDEFENSE clients notified
February 26, 2004       Vendor response
April 05, 2004          Public disclosure


03.19.04 - Borland Interbase admin.ib Administrative Access Vulnerability
http://www.idefense.com/application/poi/display?id=80&type=vulnerabilities
January 13, 2004         Vulnerability acquired by iDEFENSE
February 9, 2004         Initial vendor notification sent - no response
February 12, 2004        iDEFENSE clients notified
March 1, 2004            Secondary vendor notification sent - no response
March 19, 2004           Public disclosure


03.09.04 - Microsoft Outlook "mailto:"; Parameter Passing Vulnerability
http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities
October 10, 2003        Vulnerability acquired by iDEFENSE
November 12, 2003       Initial vendor notification
November 12, 2003       Initial vendor response
November 21, 2003       iDEFENSE clients notified
March 09, 2004          Coordinated public disclosure
March 11, 2004          Updated advisory


03.02.04 - FreeBSD Memory Buffer Exhaustion Denial of Service Vulnerability
http://www.idefense.com/application/poi/display?id=78&type=vulnerabilities
January 22, 2004        Exploit acquired by iDEFENSE
February 17, 2004       iDEFENSE clients notified
February 18, 2004       Initial vendor notification
February 18, 2004       Initial vendor response
March 02, 2004          Coordinated public disclosure


02.27.04 - WinZip MIME Parsing Buffer Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=76&type=vulnerabilities
January 13, 2004        Vulnerability acquired by iDEFENSE
February 9, 2004        Initial vendor notification
February 9, 2004        Initial vendor response
February 10, 2004       iDEFENSE clients notified
February 27, 2004       Coordinated public disclosure


02.27.04 - Microsoft Internet Explorer Cross Frame Scripting Restriction
Bypass
http://www.idefense.com/application/poi/display?id=77&type=vulnerabilities
February 4, 2004         Vulnerability acquired by iDEFENSE
February 10 2004         Initial vendor notification
February 10 2004         Initial vendor response
February 11, 2004        iDEFENSE clients notified
February 27, 2004        Public disclosure


02.23.04 - Darwin Streaming Server Remote Denial of Service Vulnerability
http://www.idefense.com/application/poi/display?id=75&type=vulnerabilities
December 8, 2003         Exploit acquired by iDEFENSE
January 29, 2004         iDEFENSE clients notified
January 29, 2004         Initial vendor notification
January 29, 2004         Vendor response received
February 23, 2004        Coordinated public disclosure


02.17.04 - Ipswitch IMail LDAP Daemon Remote Buffer Overflow
http://www.idefense.com/application/poi/display?id=74&type=vulnerabilities
October 31, 2003        Exploit acquired by iDEFENSE
February 2, 2004        Initial vendor notification
February 3, 2004        iDEFENSE clients notified
February 3, 2004        Vendor response received
February 17, 2004       Coordinated public disclosure


02.12.04 - XFree86 Font Information File Buffer Overflow II
http://www.idefense.com/application/poi/display?id=73&type=vulnerabilities
February 9, 2004        Exploit acquired by iDEFENSE
February 9, 2004        Initial vendor notification
February 9, 2004        Response received from David Dawes at XFree86.org
February 10, 2004       iDEFENSE Clients notified
February 12, 2004       Public disclosure


02.10.04 - XFree86 Font Information File Buffer Overflow
http://www.idefense.com/application/poi/display?id=72&type=vulnerabilities
January 9, 2004         Exploit acquired by iDEFENSE
February 3, 2004        Vendor notified
February 3, 2004        Response received from David Dawes at XFree86.org
February 4, 2004        iDEFENSE clients notified
February 10, 2004       Public disclosure


02.04.04 - GNU Radius Remote Denial of Service Vulnerability
http://www.idefense.com/application/poi/display?id=71&type=vulnerabilities
December 8, 2003        Vulnerability acquired by iDEFENSE
January 29, 2004        Initial vendor notification sent
January 29, 2004        iDEFENSE clients notified
February 2, 2004        Response received from Sergey Poznyakoff of GNU Radius
Project
February 2, 2004        Public disclosure on the bug-gnu-radius () gnu org mailing
list
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkD0S5UACgkQjfSOsyNsjh8TgwCeMFgZx7bdZ+/yPffsWH7xu3EG6nsA
oKBRRQo3Tw5QD7z6ggquKoy+O+sG
=o3DG
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault