ISSAtlanta Issues Statements
3 - 5 min read
Jun 21, 2002
Update:Another follow up statement was written by ISSAtlanta also issued through Bugtraq. Apparently ISS is still recieving emails about this issue.
Date: Fri, 21 Jun 2002 16:15:53 -0400
From: "Klaus, Chris (ISSAtlanta)"
To: "'bugtraq@securityfocus.com'"
Subject: ISS Advisory clarification
Quick clarification on several points based on emails that I've received:
1) We did notify Apache before going public. ISS X-Force emailed Apache in the morning at 9:44am regarding this Advisory. We waited until the afternoon before sending to Bugtraq for approval and finally reaching the Bugtraq mailing list archive at approximately Jun 17 2002 3:57PM.
2) Apache was not aware that a remote exploit vulnerability existed until ISS X-Force alerted them to the seriousness of this. They were working on denial of service issues.
3) ISS X-Force patch did work against the remote exploit that we found and it did address the Gobbles exploit. While our patch did properly work against the remote exploits, we recommend using the official Apache patch. Apache's updated patch includes fixes for the remote exploit and denial of service attacks.
4) While the general nature of open-source and its virtual organizations do have enforcement of strict confidentiality issues, this is not true for every single open-source project. This is based on the past experience. We have seen where open-source projects spread information immediately in the wild and we have seen some that are organized to maintain confidentiality. ISS X-Force deals with all vendors on a case-by-case basis to provide maximum protection for our customers and the community.
We are currently working with another major vulnerability dealing with an open-source vendor whereby we both are coordinating and cooperating and shrinking the 30 day quiet period significantly to quickly provide a patch to the public. We are trying to learn from our experience and continue to improve the advisory release process. We are hoping this next major advisory will be received more positively.
***********************************************************************
Christopher W. Klaus
Founder and CTO
Internet Security Systems (ISS)
6303 Barfield Road
Atlanta, GA 30328
Phone: 404-236-4051 Fax: 404-236-2637
web
NASDAQ: ISSX
Internet Security Systems ~ The Power To Protect
ISSAtlanta issued their statement today on Bugtraq clarifying their position on the Apache Chunk Encoding Vulnerability/Exploit.
To: BugTraq
Subject: ISS Apache Advisory Response
Date: Jun 20 2002 10:06PM
Author: Klaus, Chris (ISSAtlanta)
Message-ID:
There has been a lot of misinformation spread about our ISS Apache Advisory and wanted to clean up any confusion and misunderstanding.
1) Our policy for publishing advisories is to give a vendor 30 to 45 day quiet period to provide an opportunity to create a patch or work around. If an exploit for the vulnerability appears in the wild, or a patch and work-around is provided by the vendor or ISS X-Force, this quiet period is disregarded and the ISS X-Force advisory is published immediately.
In the case of this advisory, ISS X-Force provided an Apache patch and did not see a need for a long quiet period.
2) The original ISS X-Force Apache Patch did work properly against the specific vulnerability described by X-Force, despite claims that it did not. The Apache and CERT advisories on their websites have been corrected to reflect this.
3) ISS was not aware of other researchers discovering this vulnerability nor aware of it in the wild at the time of the release of the advisory.
4) Following along with Presidential Decision Directive-63, ISS had cooperated and coordinated with National Infrastructure Protection Center (NIPC) on this advisory. We will continue to work with NIPC on upcoming advisories.
5) The Gobbles' exploit has confirmed our decision to release as soon as possible based on our assumption that others were likely to discover the same vulnerability in the wild.
6) We do not view this as a race to beat other researchers to releasing an advisory, but a race to protect our customers in a timely manner.
Due to the general nature of open-source and its openness, the virtual organizations behind the projects do not have an ability to enforce strict confidentiality. By notifying the open source project, its nature is that the information is quickly spread in the wild disregarding any type of quiet period. ISS X-Force minimizes the quiet period and delay of protecting customers by providing a security patch.
ISS has made these decisions based on our mission to provide the best security to our customers and being a trusted security advisor.
Sincerely,
Christoper W. Klaus
***********************************************************************
Christopher W. Klaus
Founder and CTO
Internet Security Systems (ISS)
6303 Barfield Road
Atlanta, GA 30328
Phone: 404-236-4051 Fax: 404-236-2637
web
NASDAQ: ISSX
Internet Security Systems ~ The Power To Protect
Date: Fri, 21 Jun 2002 16:15:53 -0400
From: "Klaus, Chris (ISSAtlanta)"
To: "'bugtraq@securityfocus.com'"
Subject: ISS Advisory clarification
Quick clarification on several points based on emails that I've received:
1) We did notify Apache before going public. ISS X-Force emailed Apache in the morning at 9:44am regarding this Advisory. We waited until the afternoon before sending to Bugtraq for approval and finally reaching the Bugtraq mailing list archive at approximately Jun 17 2002 3:57PM.
2) Apache was not aware that a remote exploit vulnerability existed until ISS X-Force alerted them to the seriousness of this. They were working on denial of service issues.
3) ISS X-Force patch did work against the remote exploit that we found and it did address the Gobbles exploit. While our patch did properly work against the remote exploits, we recommend using the official Apache patch. Apache's updated patch includes fixes for the remote exploit and denial of service attacks.
4) While the general nature of open-source and its virtual organizations do have enforcement of strict confidentiality issues, this is not true for every single open-source project. This is based on the past experience. We have seen where open-source projects spread information immediately in the wild and we have seen some that are organized to maintain confidentiality. ISS X-Force deals with all vendors on a case-by-case basis to provide maximum protection for our customers and the community.
We are currently working with another major vulnerability dealing with an open-source vendor whereby we both are coordinating and cooperating and shrinking the 30 day quiet period significantly to quickly provide a patch to the public. We are trying to learn from our experience and continue to improve the advisory release process. We are hoping this next major advisory will be received more positively.
***********************************************************************
Christopher W. Klaus
Founder and CTO
Internet Security Systems (ISS)
6303 Barfield Road
Atlanta, GA 30328
Phone: 404-236-4051 Fax: 404-236-2637
web
NASDAQ: ISSX
Internet Security Systems ~ The Power To Protect
ISSAtlanta issued their statement today on Bugtraq clarifying their position on the Apache Chunk Encoding Vulnerability/Exploit.
To: BugTraq
Subject: ISS Apache Advisory Response
Date: Jun 20 2002 10:06PM
Author: Klaus, Chris (ISSAtlanta)
Message-ID:
There has been a lot of misinformation spread about our ISS Apache Advisory and wanted to clean up any confusion and misunderstanding.
1) Our policy for publishing advisories is to give a vendor 30 to 45 day quiet period to provide an opportunity to create a patch or work around. If an exploit for the vulnerability appears in the wild, or a patch and work-around is provided by the vendor or ISS X-Force, this quiet period is disregarded and the ISS X-Force advisory is published immediately.
In the case of this advisory, ISS X-Force provided an Apache patch and did not see a need for a long quiet period.
2) The original ISS X-Force Apache Patch did work properly against the specific vulnerability described by X-Force, despite claims that it did not. The Apache and CERT advisories on their websites have been corrected to reflect this.
3) ISS was not aware of other researchers discovering this vulnerability nor aware of it in the wild at the time of the release of the advisory.
4) Following along with Presidential Decision Directive-63, ISS had cooperated and coordinated with National Infrastructure Protection Center (NIPC) on this advisory. We will continue to work with NIPC on upcoming advisories.
5) The Gobbles' exploit has confirmed our decision to release as soon as possible based on our assumption that others were likely to discover the same vulnerability in the wild.
6) We do not view this as a race to beat other researchers to releasing an advisory, but a race to protect our customers in a timely manner.
Due to the general nature of open-source and its openness, the virtual organizations behind the projects do not have an ability to enforce strict confidentiality. By notifying the open source project, its nature is that the information is quickly spread in the wild disregarding any type of quiet period. ISS X-Force minimizes the quiet period and delay of protecting customers by providing a security patch.
ISS has made these decisions based on our mission to provide the best security to our customers and being a trusted security advisor.
Sincerely,
Christoper W. Klaus
***********************************************************************
Christopher W. Klaus
Founder and CTO
Internet Security Systems (ISS)
6303 Barfield Road
Atlanta, GA 30328
Phone: 404-236-4051 Fax: 404-236-2637
web
NASDAQ: ISSX
Internet Security Systems ~ The Power To Protect
Related Articles
1 - 0 min read
Ubuntu Livepatch for HWE Linux kernels coming soon
