On Jul 28, 2005, at 3:29 AM, Neil J. McRae wrote:
I couldn't disagree more. Cisco are trying to control the situation as best they can so that they can deploy the needed fixes before the $scriptkiddies start having their fun. Its no different to how any other vendor handles a exploit and I'm surprised to see network operators having such an attitude.
That's part of the issue: this wasn't an exploit in the sense of something a $scriptkiddie could exploit. The sheer technical requirements of the exploit itself ensure that it will only be reproduced by a small number of people across the globe. There was no source or proof of concept code released and duplicating the information would only provide you a method to increase the severity of other potential exploits. It does not create any new exploits. Moreover, the fix for this was already released and you have not been able to download a vulnerable version of the software for months however there was no indication from Cisco regarding the severity of the required upgrade. That is to say, they knew in April that arbitrary code execution was possible on routers, they had it fixed by May, and we're hearing about it now and if Cisco had its way we might still not be hearing about it. How many network engineers knew there was a potential problem of this magnitude at the beginning of May? If, knock on wood, someone had released this code into the wild then how many networks who have been vulnerable despite the availability of a fix? Considering that Mr. Lynn's presentation was flawless, it is interesting to note that Cisco and ISS considered the information to be "not quite complete." This is especially interesting since the research was done weeks ago according the researcher. Its surprising that such a decision as to the incompleteness of the presentation and the retraction of Cisco's support for the presentation were withdrawn only several days before the talk. It would lead me to believe that both companies had less interest in a "process of disclosure and communication" and more with burying this information for a year or more. I agree with everyone that making attack tools and exploit information available to the public prior to a fix being generated with the vendor is a poor method of encouraging good security, however that is far from the case in this matter. A fix had been generated with the vendor and it was time that the information to become public so network operators understood that the remote execution empty world we had lived in until now was over. More links: http://www.wired.com/news/privacy/0,1848,68328,00.html? tw=wn_story_page_prev2 http://securityfocus.com/news/11259