lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 06 Dec 2007 13:42:13 -0500
From: Simon Smith <simon@...soft.com>
To: Thomas Kristensen <tk@...unia.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [SECUNIA] Vendors still use the "legal" weapon

I would have thought that by this time businesses would be more savvy to
the entire vulnerability disclosure process. They don't seem to realize
that in most cases its more damaging to try to quash research than it is
to accept it with open arms. That is after all because quashing research
is nearly synonymous with lying to customers.

This reminds me of the HP v.s. SNOsoft fiasco back in 2001.


Thomas Kristensen wrote:
> In these days, one would have believed that vendors have learned the
> lesson not to threaten with legal actions to withhold and suppress
> significant information about vulnerabilities in their products.
> 
> Well, nonetheless, Secunia just received a sequel of letters from
> Autonomy, likely not known to many, but it is the software company that
> supplies the "Swiss Army Knife" in handling and opening documents in
> well known software like IBM Lotus Notes and Symantec Mail Security.
> 
> 
> *First a little background information*
> 
> The communication between Autonomy and their OEM customers regarding
> which versions of their KeyView software that fix given vulnerabilities
> has failed again and again. This has been a mess to sort out and Secunia
> has had to spent hours verifying what e.g. was fixed by IBM and what was
> fixed by Symantec - because apparently the versioning of the KeyView
> software is different whether used by Symantec, IBM, or others.
> 
> We've managed to figure this out and occasionally this has caused one of
> Autonomy's OEM customers to have unpatched publicly known
> vulnerabilities in their products. All thanks to Autonomy's apparent
> inability to co-ordinate the release of new vulnerability fixes with
> their customers.
> 
> Now, Autonomy has become fed up with handling all these vulnerabilities
> and believe that it is time to control what Secunia writes about.
> Autonomy wants Secunia to withhold information about the fact that
> vulnerability SA27835 in Keyview Lotus 1-2-3 File Viewer, which has been
> fixed by IBM, obviously also affects Autonomy's own versions 9.2 and
> 10.3 of KeyView.
> 
> According to Autonomy, publishing an advisory would be misleading and
> cause confusion because the issues already have been fixed; in fact,
> they believe that this would cause the public to believe that there are
> more issues in their product than is the case!
> 
> Now that is an interesting logic.
> 
> Sorry Autonomy, writing an advisory that states which vulnerabilities
> have been fixed and in which versions is in no way misleading or
> confusing - even for "historical" issues.
> 
> What is really interesting here is the fact that the Vulnerability
> Database services offered by Autonomy's own customers IBM and Symantec
> (ISS X-Force and Securityfocus respectively) still (at the time of
> publishing) don't show information about the fact that patches are
> available for the Lotus 1-2-3 issue - while Secunia, who Autonomy
> accuses of publishing misleading information, correctly reflects the
> fact that Autonomy offers patches.
> 
> However, this doesn't seem to be a concern for Autonomy or perhaps their
> legal department also treats their own customers in the same way as
> Secunia is treated?
> 
> What is misleading and confusing in this whole case is the apparent lack
> of co-ordination between Autonomy and Autonomy's OEM customers, the lack
> of clear, precise public statements about vulnerabilities and security
> fixes.
> 
> If Autonomy wants to avoid "misleading" and "confusing" communication,
> then Autonomy ought to start publishing bulletins such as those made by
> most other serious and established software vendors (e.g. Microsoft and
> their own customers IBM and Symantec) with clear information about the
> type of vulnerability, potential attack vectors, potential impacts,
> affected versions, and unaffected versions - it's really that simple.
> 
> Naturally, Autonomy should also communicate to their own customers (IBM
> and Symantec) that patches addressing vulnerabilities are available so
> that both their products and their Vulnerability Database services are
> updated.
> 
> 
> *Our response to these claims and accusations*
> 
> Despite Autonomy's unsubstantiated legal threats, Secunia will quite
> legally continue to do vulnerability research in Autonomy products and
> any other products of interest. Naturally, Secunia will also continue to
> publish research articles and advisories in an unbiased, balanced,
> accurate, and truthful manner as we serve one purpose only: To provide
> accurate and reliable Vulnerability Intelligence to our customers and
> the Internet in general.
> 
> Secunia is in continuous, ongoing, and positive dialogues with most
> vendors including large professional organisations like Microsoft, IBM,
> Adobe, Symantec, Novell, Apple, and CA. All understand and respect the
> need for informing the public about vulnerabilities and prefer to
> co-ordinate and synchronise the publication with important Vulnerability
> Intelligence sources such as Secunia rather than battling to keep things
> secret. It is truly sad to see that certain vendors like Autonomy still
> behave like many software vendors did back in the previous millennium.
> 
> 
> Kindest regards,
> 
> Thomas Kristensen
> CTO, Secunia
> 
> 
> Copies of all correspondence in this "matter" is available below in
> chronological order, enjoy:
> http://secunia.com/gfx/Email%20from%20Secunia%2020071128.pdf
> http://secunia.com/gfx/Letter%20from%20Autonomy%2020071202.pdf
> http://secunia.com/gfx/Email%20from%20Secunia%2020071203.pdf
> http://secunia.com/gfx/Letter%20from%20Autonomy%2020071203.pdf
> http://secunia.com/gfx/Email%20from%20Secunia%2020071204.pdf
> http://secunia.com/gfx/Letter%20from%20Autonomy%2020071205.pdf
> 
> 
> The above is also available in our blog:
> http://secunia.com/blog/15/
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


-- 

- simon

----------------------
http://www.snosoft.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ