Steven M. Bellovin wrote:
On Thu, 23 Mar 2006 03:41:52 -0600 (CST), Gadi Evron <ge@linuxbox.org> wrote:
It took Sendmail a mounth to fix this. A mounth.
A mounth!
With such Vendor Responsibility, perhaps it is indeed a Good Thing to go Full Disclosure. It seems like history is repeating itself and Full Disclosure is once again not only a choice, but necessary to make vendors become responsible.
Given the scope of the changes you describe -- you wrote "Sendmail.com's patch is so big they may as well have re-released the whole program." -- I can't get upset at taking a month to fix it. You're dealing with asynchronous events, which are really hard to start with. I suspect that they spent some time deciding how to fix it -- you don't appear thrilled with their choice, but I don't know what other options they considered -- and then actually tested the new code. Given how many of our security problems are due to buggy and inadequately-tested code, I suspect that taking a month was actually being quite responsible.
I'd usually agree, compared to a year and a half with Microsoft or 3 years with Oracle. The point here, though, if that the patch was released almost with no notification _to_the_security_community_ (bugtraq, fd, etc.). It was obfuscated (open source, funny notion) and released. Exploits are already out there. When you are critical infrastructure, you have higher responsibility. You either practice non-disclosure and patch your users over-time, then disclose, or simply disclose. It depends on needs and/or how responsive the vendor is. One can't have it both ways, unfortunately. Gadi.