A Word on Solutions (we won't tell)
Posted by jericho
From time to time, vendors will contact OSVDB to notify us of solutions to vulnerabilities included in the database. These are almost always very professional mails, usually polite, and sometimes include all the details we need/want. These mails may say something along the lines of “we have fixed this issue” which prompts us to ask if it is a patch, upgrade or workaround. Other times they are very descript and provide all the information we need to update our entry, add more detail and provide the best information to our users and their customers.
Every once in a while, we get a real winner. On Dec 29, 2005, Global I.S. S.A. contacted us regarding entry 21429, saying ”This vulnerability has been addressed.” Within minutes I replied asking if this was in the form of an upgrade or patch but did not hear back from them. On Jan 2, 2006, they contacted us again asking ”This is our second request for a change. Is anybody home?” So they didn’t receive my initial reply I assumed (nor did they acknowledge my second reply), but that isn’t what grabbed me. The rest of their mail did:
The vulnerability you refer to has been resolved.
For security we do not release the nature of the solution/s.
It is criminially negligent to publish hacks on the web without first notifying the author.
Let us know if you have a question.
On top of the veiled legal threat (which I love!), their comment that they do not release the nature of the solution is baffling.. moreso that they do this “for security”. Vendors, take note: the one time you want to be completely open and honest with information is when it comes to solutions to vulnerabilities. Witholding information or making it unclear/confusing only contributes to insecurity as customers don’t know the extent of the issue, nor how to easily mitigate the vulnerability.
After replying to their second mail, I sent a third mail to followup. Here it is for amusement:
From: security curmudgeon (jericho@attrition.org) To: Global I.S. S.A. (info@globalissa.com) Cc: “moderators@osvdb.org” (moderators@osvdb.org) Date: Mon, 2 Jan 2006 07:43:06 -0500 (EST) Subject: Re: [OSVDB Mods] [2nd Change Request] 21429: phpYellow print_me.php ckey Variable SQL Injection
Hello again,
: : The vulnerability you refer to has been resolved. : : For security we do not release the nature of the solution/s.
Since it is Global I.S. S.A. policy not to disclose the nature of the solution, I have updated the solution description for entry 21429 as follows:
Global I.S.S.A has indicated in email to OSVDB that there is a solution for this vulnerability. However, their policy prohibits them from sharing what the solution is, or how their customers can protect themselves:
“The vulnerability you refer to has been resolved. For security we do not release the nature of the solution/s.”
Brian OSVDB.org
You didn’t read the “Email policy.”
Email Policy It is our policy to respond to your inquiry within 48 hours or 2 business days, not including weekends or holidays. To contact us visit any Globalissa website and click ‘Contact us’. If your inquiry is not answered within 48 hours or 2 business days then RESEND your message.
Couldn’t find a policy regarding software vulnerabilities. They due have a post install “security” page. Advice like, choose a good password, periodically change your password. Oh and this one made me feel all warm and fuzzy: “when using admin click the logout link to end and destroy your session.” Why don’t they have a link to osvdb or cve or secunia or symantec even.
Atleast this is more entertaining than Cisco’s response to buy a different product! They (any .com business) keep recipricating this false knowledge on people when the facts and advice they give are just generalities and not specific to the person or the tasks being performed.