[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] iDefense: Solution or Problem?
- To: Full-Disclosure@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] iDefense: Solution or Problem?
- From: <idefense@xxxxxxxxxxxx>
- Date: Tue, 13 Jul 2004 13:53:01 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael, you claim that this is a typo, but is it really? Even if this
is a typo, how do you explain waiting over a month to contact the vendor?
How do you explain past times when iDefense waited over a year to notify
a vendor? How does this relate to the iDefense disclosure policy?
http://www.idefense.com/legal_disclosure.jsp
iDEFENSE will responsibly inform vendors as soon as possible after having
learned of a problem with their product(s) or service(s).
Note: ".. will responsibly inform vendors as soon as possible after having
learned of a problem". There is absolutely no debating that this is pure
marketing fluff and not how iDefense operates. Look at their history
of vulnerability disclosure and their timelines for proof. The real question
becomes, just how unethical and how greedy iDefense really is! Further,
are they now rewriting history to desperately protect their already
dark image? Witness:
http://seclists.org/lists/fulldisclosure/2004/Jul/0574.html
Adobe Reader 6.0 Filename Handler Buffer Overflow Vulnerability
VII. DISCLOSURE TIMELINE
02/02/2003 Exploit discovered by iDEFENSE
03/11/2004 Initial vendor notification
Did iDefense sit on this vulnerability for 17 months? Shortly before
or after Cary Barker pointed this out on Full-Disclosure
(http://seclists.org/lists/fulldisclosure/2004/Jul/0585.html), iDefense
seems to have had a change of heart!
http://www.idefense.com/application/poi/display?id=116&type=vulnerabilities
02/02/2004 Exploit discovered by iDEFENSE
03/11/2004 Initial vendor notification
The first and understandable reaction (excuse) would be "iDefense had
a typo", but once again, digging into their past vulnerabilities, is
that really the case?! Even if THIS advisory had a typo, how about some
others this year?!
http://www.idefense.com/application/poi/display?id=114&type=vulnerabilities
04/03/2003 Vulnerability acquired by iDEFENSE
07/08/2004 Public disclosure
http://www.idefense.com/application/poi/display?id=108&type=vulnerabilities
04/05/03 Vulnerability acquired by iDEFENSE
05/17/04 Public disclosure
http://www.idefense.com/application/poi/display?id=104&type=vulnerabilities
April 2, 2003 Exploit acquired by iDEFENSE
May 12, 2004 Coordinated public disclosure
Sitting on vulnerabilities for a year before notifying the vendors is
not what 'white hat' hackers do. These aren't the actions of a reputable
security company. Combine this with the fact you sell this information
to people in foreign companies and governments, including some that are
"harboring terrorists" (according to our government) makes your actions
potentially criminal. What, you haven't checked your client list carefully?
Selling vulnerability information to terrorist nations isn't very friendly
to the US!
Looking back at your 2004 advisories (and some in 2003), could anyone
at iDefense explain how their responsible disclosure policy applies?
Here is a general idea of their disclosure process and time frames:
Advisory Discovery Publish Vend Notify Publish Time
07.12.04 03-02-02 04-07-12 13 mo 7 d 17 mo 10 d
07.09.04 04-06-29 04-07-09 7 d 10 d
07.08.04 03-04-03 04-07-08 14 mo 26 d 15 mo 5 d
07.01.04 03-09-27 04-07-01 8 mo 7 d 9 mo 4 d
06.23.04 04-04-21 04-06-23 14 d 2 mo 2 d
06.21.04 04-02-26 04-06-21 3 mo 13 d 3 mo 25 d
06.10.04 04-04-14 04-06-10 28 d 1 mo 26 d
06.08.04 04-04-27 04-06-07 22 d 1 mo 10 d
06.07.04 03-04-05 04-05-17 13 mo 2 d 13 mo 12 d
05.27.04 04-02-18 04-05-27 20 d 3 mo 9 d
05.26.04 04-02-18 04-05-26 20 d 3 mo 8 d
05.12.04 03-04-02 04-05-12 12 mo 5 d 13 mo 10 d
04.15.04 03-12-08 04-04-15 1 mo 16 d 5 mo 7 d
04.14.04 04-01-09 04-04-14 1 mo 11 d 3 mo 5 d
04.13.04 04-01-12 04-04-13 5 d 2 mo 24 d
04.05.04 04-01-09 04-04-05 1 mo 16 d 2 mo 26 d
03.19.04 04-01-13 04-03-19 24 d 2 mo 5 d
03.09.04 03-10-10 04-03-11 1 mo 2 d 5 mo 1 d
03.02.04 04-01-22 04-03-02 25 d 1 mo 10 d
02.27.04 04-01-13 04-02-27 26 d 1 mo 14 d
02.27.04 04-02-04 04-02-27 6 d 23 d
02.23.04 03-12-08 04-02-23 1 mo 21 d 2 mo 15 d
02.17.04 03-10-31 04-02-17 4 mo 2 d 4 mo 19 d
02.12.04 04-02-09 04-02-12 0 d 3 d
02.10.04 04-01-09 04-02-10 24 d 1 mo 1 d
02.04.04 03-12-08 04-02-02 1 mo 21 d 1 mo 24 d
09.25.03 03-02-25 ? 8 mo 0 d ?
07.29.03 03-04-20 03-07-29 2 mo 11 d 3 mo 9 d
07.01.03 03-03-11 03-07-01 3 mo 0 d 3 mo 19 d
05.22.03 02-12-31 03-05-22 4 mo 17 d 5 mo 22 d
02.12.03 02-10-31 03-02-12 2 mo 29 d 3 mo 13 d
02.03.03 02-01-11 03-02-10 12 mo 9 d 12 mo 29 d
"iDEFENSE will responsibly inform vendors as soon as possible after having
learned of a problem with their product(s) or service(s)."
Five different times, iDefense sat on a vulnerability for OVER A YEAR.
They routinely wait one or more months to notify the vendor. Is that
"as soon as possible"? Of course not, that would hurt the bottom line.
Sincerely,
Dark Elf
References
07.12.04 - Adobe Reader 6.0 Filename Handler Buffer Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=116&type=vulnerabilities
02/02/2004 Exploit discovered by iDEFENSE
03/11/2004 Initial vendor notification
03/11/2004 Initial vendor response
03/11/2004 iDEFENSE clients notified
06/07/2004 Vendor update released
07/12/2004 Public Disclosure
* original full-disc post listed 02/02/2003 discovery date
07.09.04 - wvWare Library Buffer Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=115&type=vulnerabilities
06/29/2004 Initial vendor contact
07/06/2004 Vendor response
07/09/2004 Public disclosure
07.08.04 - SSLTelnet Remote Format String Vulnerability
http://www.idefense.com/application/poi/display?id=114&type=vulnerabilities
04/03/2003 Vulnerability acquired by iDEFENSE
06/29/2004 Initial vendor contact
07/02/2004 Secondary vendor contact
07/08/2004 Public disclosure
07.01.04 - WinGate Information Disclosure Vulnerability
http://www.idefense.com/application/poi/display?id=113&type=vulnerabilities
09/27/03 Exploit acquired by iDEFENSE
06/04/04 Initial vendor notification
06/10/04 Secondary vendor notification
06/21/04 iDEFENSE clients notified
06/23/04 Initial vendor response
07/01/04 Public Disclosure
06.23.04 - Lotus Notes URI Handler Argument Injection Vulnerability
http://www.idefense.com/application/poi/display?id=111&type=vulnerabilities
04/21/2004 Exploit acquired by iDEFENSE
05/05/2004 iDEFENSE clients notified
05/05/2004 Initial vendor notification
05/07/2004 Initial vendor response
06/23/2004 Public disclosure
06.21.04 - GNU Radius SNMP Invalid OID Denial of Service Vulnerability
http://www.idefense.com/application/poi/display?id=110&type=vulnerabilities
02/26/04 Issue acquired by iDEFENSE
06/09/04 Initial vendor contact
06/09/04 iDEFENSE clients notified
06/21/04 Public disclosure
06.10.04 - Real Networks RealPlayer URL Parsing Buffer Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=109&type=vulnerabilities
04/14/2004 Exploit discovered by iDEFENSE
05/12/2004 Initial vendor notification
05/12/2004 iDEFENSE clients notified
05/13/2004 Vendor response
06/10/2004 Coordinated public disclosure
06.08.04 - Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow
Vulnerability
http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities
04/27/04 Exploit acquired by iDEFENSE
05/19/04 iDEFENSE Clients notified
05/20/04 Initial vendor notification
05/20/04 Initial vendor response
06/07/04 Public Disclosure
06.07.04 - PHP Win32 escapeshellcmd() and escapeshellarg() Input Validation
Vulnerability
http://www.idefense.com/application/poi/display?id=108&type=vulnerabilities
04/05/03 Vulnerability acquired by iDEFENSE
05/07/04 iDEFENSE clients notified
05/07/04 Initial vendor notification
05/17/04 Initial vendor response
05/17/04 Public disclosure
05.27.04 - 3Com OfficeConnect Remote 812 ADSL Router Authentication Bypass
Vulnerability
http://www.idefense.com/application/poi/display?id=106&type=vulnerabilities
02/18/04 Exploit acquired by iDEFENSE
03/08/04 iDEFENSE Clients notified
03/11/04 Initial vendor notification - no response
03/30/04 Secondary vendor notification - no response
05/27/04 Public Disclosure
05.26.04 - 3Com OfficeConnect Remote 812 ADSL Router Telnet Protocol
DoS Vulnerability
http://www.idefense.com/application/poi/display?id=105&type=vulnerabilities
02/18/04 Exploit acquired by iDEFENSE
03/08/04 iDEFENSE Clients notified
03/11/04 Initial vendor notification - no response
03/30/04 Secondary vendor notification - no response
05/26/04 Public Disclosure
05.12.04 - Opera Telnet URI Handler File Creation/Truncation Vulnerability
http://www.idefense.com/application/poi/display?id=104&type=vulnerabilities
April 2, 2003 Exploit acquired by iDEFENSE
April 7, 2004 Initial vendor notification
April 7, 2004 iDEFENSE clients notified
April 14, 2004 Initial vendor response
May 12, 2004 Coordinated public disclosure
09.25.03 - Sambar Server Multiple Vulnerabilities
http://www.idefense.com/application/poi/display?id=103&type=vulnerabilities
February 25, 2003 Exploit acquired by iDEFENSE
September 25, 2003 Initial vendor notification
September 25, 2003 Vendor response
04.15.04 - RealNetworks Helix Universal Server Denial of Service Vulnerability
http://www.idefense.com/application/poi/display?id=102&type=vulnerabilities
December 8, 2003 Exploit acquired by iDEFENSE
January 24, 2004 iDEFENSE clients notified
January 26, 2004 Initial vendor notification
April 15, 2004 Public disclosure
04.14.04 - Buffer Overflow in ISO9660 File System Component of Linux
Kernel
http://www.idefense.com/application/poi/display?id=101&type=vulnerabilities
January 9, 2004 Exploit acquired by iDEFENSE
February 20, 2004 Initial vendor notification
February 20, 2004 iDEFENSE clients notified
April 14, 2004 Coordinated public disclosure
04.13.04 - Microsoft Help and Support Center Argument Injection Vulnerability
http://www.idefense.com/application/poi/display?id=100&type=vulnerabilities
[prior] Exploit disclosed to vendor by contributor
January 12, 2004 Exploit acquired by iDEFENSE
January 12, 2004 iDEFENSE clients notified
January 19, 2004 iDEFENSE Initial contact with vendor
January 23, 2004 Initial vendor reply
April 13, 2004 Coordinated public disclosure
04.05.04 - Perl win32_stat Function Buffer Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=93&type=vulnerabilities
January 09, 2004 Vulnerability discovered by iDEFENSE
February 25, 2004 Initial vendor contact
February 26, 2004 iDEFENSE clients notified
February 26, 2004 Vendor response
April 05, 2004 Public disclosure
03.19.04 - Borland Interbase admin.ib Administrative Access Vulnerability
http://www.idefense.com/application/poi/display?id=80&type=vulnerabilities
January 13, 2004 Vulnerability acquired by iDEFENSE
February 9, 2004 Initial vendor notification sent - no response
February 12, 2004 iDEFENSE clients notified
March 1, 2004 Secondary vendor notification sent - no response
March 19, 2004 Public disclosure
03.09.04 - Microsoft Outlook "mailto:"; Parameter Passing Vulnerability
http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities
October 10, 2003 Vulnerability acquired by iDEFENSE
November 12, 2003 Initial vendor notification
November 12, 2003 Initial vendor response
November 21, 2003 iDEFENSE clients notified
March 09, 2004 Coordinated public disclosure
March 11, 2004 Updated advisory
03.02.04 - FreeBSD Memory Buffer Exhaustion Denial of Service Vulnerability
http://www.idefense.com/application/poi/display?id=78&type=vulnerabilities
January 22, 2004 Exploit acquired by iDEFENSE
February 17, 2004 iDEFENSE clients notified
February 18, 2004 Initial vendor notification
February 18, 2004 Initial vendor response
March 02, 2004 Coordinated public disclosure
02.27.04 - WinZip MIME Parsing Buffer Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=76&type=vulnerabilities
January 13, 2004 Vulnerability acquired by iDEFENSE
February 9, 2004 Initial vendor notification
February 9, 2004 Initial vendor response
February 10, 2004 iDEFENSE clients notified
February 27, 2004 Coordinated public disclosure
02.27.04 - Microsoft Internet Explorer Cross Frame Scripting Restriction
Bypass
http://www.idefense.com/application/poi/display?id=77&type=vulnerabilities
February 4, 2004 Vulnerability acquired by iDEFENSE
February 10 2004 Initial vendor notification
February 10 2004 Initial vendor response
February 11, 2004 iDEFENSE clients notified
February 27, 2004 Public disclosure
02.23.04 - Darwin Streaming Server Remote Denial of Service Vulnerability
http://www.idefense.com/application/poi/display?id=75&type=vulnerabilities
December 8, 2003 Exploit acquired by iDEFENSE
January 29, 2004 iDEFENSE clients notified
January 29, 2004 Initial vendor notification
January 29, 2004 Vendor response received
February 23, 2004 Coordinated public disclosure
02.17.04 - Ipswitch IMail LDAP Daemon Remote Buffer Overflow
http://www.idefense.com/application/poi/display?id=74&type=vulnerabilities
October 31, 2003 Exploit acquired by iDEFENSE
February 2, 2004 Initial vendor notification
February 3, 2004 iDEFENSE clients notified
February 3, 2004 Vendor response received
February 17, 2004 Coordinated public disclosure
02.12.04 - XFree86 Font Information File Buffer Overflow II
http://www.idefense.com/application/poi/display?id=73&type=vulnerabilities
February 9, 2004 Exploit acquired by iDEFENSE
February 9, 2004 Initial vendor notification
February 9, 2004 Response received from David Dawes at XFree86.org
February 10, 2004 iDEFENSE Clients notified
February 12, 2004 Public disclosure
02.10.04 - XFree86 Font Information File Buffer Overflow
http://www.idefense.com/application/poi/display?id=72&type=vulnerabilities
January 9, 2004 Exploit acquired by iDEFENSE
February 3, 2004 Vendor notified
February 3, 2004 Response received from David Dawes at XFree86.org
February 4, 2004 iDEFENSE clients notified
February 10, 2004 Public disclosure
02.04.04 - GNU Radius Remote Denial of Service Vulnerability
http://www.idefense.com/application/poi/display?id=71&type=vulnerabilities
December 8, 2003 Vulnerability acquired by iDEFENSE
January 29, 2004 Initial vendor notification sent
January 29, 2004 iDEFENSE clients notified
February 2, 2004 Response received from Sergey Poznyakoff of GNU Radius
Project
February 2, 2004 Public disclosure on the bug-gnu-radius@xxxxxxx mailing
list
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4
wkYEARECAAYFAkD0S5UACgkQjfSOsyNsjh8TgwCeMFgZx7bdZ+/yPffsWH7xu3EG6nsA
oKBRRQo3Tw5QD7z6ggquKoy+O+sG
=o3DG
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434
Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html