lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 28 Aug 2007 13:00:22 -0400 (EDT)
From: "Steven M. Christey" <coley@...re.org>
To: bugtraq@...urityfocus.com
Subject: n.runs, Sophos, German laws, and customer safety


The n.runs-SA-2007.027 advisory claims code execution through a UPX
file.  This claim is inconsistent with the vendor's statement that
it's only a "theoretical" DoS:

  http://www.sophos.com/support/knowledgebase/article/28407.html

  "A corrupt UPX file causes the virus engine to crash and Sophos
  Anti-Virus to return 'unrecoverable error. leading to scanning being
  terminated. It should not be a security threat although repeated
  files could cause a denial of service."

It is unfortunate that Germany's legal landscape prevents n.runs from
providing conclusive evidence of their claim.  This directly affects
Sophos customers who want to know whether it's "just a DoS" or not.
Many in the research community know about n.runs and might believe
their claim, but the typical customer does not know who they are
(which is one reason why I think the Pwnies were a good idea).  So,
many customers would be more likely to believe the vendor.  If the
n.runs claim is true, then many customers might be less protected than
they would if German laws did not have the chilling effect they are
demonstrating.

It should be noted that in 2000, a veritable Who's Who of computer
security - including Bruce Schneier, Gene Spafford, Matt Bishop, Elias
Levy, Alan Paller, and other well-known security professionals -
published a statement of concern about the Council of Europe draft
treaty on Crime in Cyberspace, which I believe was the predecessor to
the legal changes that have been happening in Germany:

  http://homes.cerias.purdue.edu/~spaf/coe/TREATY_LETTER.html

Amongst many other things, this letter said:

  "Signatory states passing legislation to implement the treaty may
  endanger the security of their computer systems, because computer
  users in those countries will not be able to adequately protect
  their computer systems... legislation that criminalizes security
  software development, distribution, and use is counter to that goal,
  as it would adversely impact security practitioners, researchers,
  and educators."

If I recall correctly, we were assured by representatives that such an
outcome would not occur.

- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ