Re: Remote DoS Attack in Eeye Iris 1.01 and SpyNet CaptureNet v3.12 Vulnerability

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Thu, 31 Aug 2000 14:41:33 PDT, "Jay D. Dyson" <jdyson () TREACHERY NET>  said:
>       That a product is in Beta means that the vendor has a distinctly
> open-door policy on any bug reports regarding the software.  Beta == Bugs.

On the other hand, SOME things sort of wedge in 'beta' for forever.  For
instance, the 'ICQ-Java' application from www.mirabilis.com has been
at a beta 0.981a level since at least Jan 1998. For that matter, I just
checked their download page, and ALL the ICQ versions are marked 'beta'.

However, there's an INCREDIBLE number of ICQ users - does this mean that
there shouldn't be an alert if there's a problem? Seems to me that it would
be even MORE important to issue an advisory.

> No surprise there.  ...Yet when a product is no longer supported, issuing
> a DoS exploit against it isn't only yesterday's news...it's slapping the
> jellied *remains* of a dead horse.

And maybe you *need* to slap the jellied remains to get people to upgrade
and migrate.  Somebody just posted to the XEmacs list with a bug report
that XEmacs fails to build in the X11R4 environment that SunOS 4.1.4
provides.  Should people on those systems not be told "Hey, there's an
issue here", just because their vendor has dropped support?

And remember - people on beta or unsupported systems may need exploits
*MORE* - because they need tools to see if they are vulnerable, or
whether their local patch has addressed the issue, etc etc etc.

Consider the recent rpc.statd exploit - if it had included "and oh, yeah,
FooBarOS 7.1 is vulnerable too", and FooBar Inc had gone belly up, what do
the legacy users use to test?  An exploit known to work is a BIG step
up - there's a lot of people out there who can apply a patch, but aren't
able to craft an exploit themselves.  If they have one that works to start,
they can be pretty confident when they've closed the actual hole, as opposed
to merely having been unable to get the exploit to work.

--
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description: