full-disclosure-uk December 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] [SECUNIA] Vendors stil

Re: [Full-disclosure] [SECUNIA] Vendors still use the "legal" weapon

From: Simon Smith <simon_at_nospam>
Date: Thu Dec 06 2007 - 18:42:13 GMT
To: Thomas Kristensen <tk@secunia.com>

I would have thought that by this time businesses would be more savvy to the entire vulnerability disclosure process. They don't seem to realize that in most cases its more damaging to try to quash research than it is to accept it with open arms. That is after all because quashing research is nearly synonymous with lying to customers.

This reminds me of the HP v.s. SNOsoft fiasco back in 2001.

Thomas Kristensen wrote:
> In these days, one would have believed that vendors have learned the
> lesson not to threaten with legal actions to withhold and suppress
> significant information about vulnerabilities in their products.
> Well, nonetheless, Secunia just received a sequel of letters from
> Autonomy, likely not known to many, but it is the software company that
> supplies the "Swiss Army Knife" in handling and opening documents in
> well known software like IBM Lotus Notes and Symantec Mail Security.
> *First a little background information*
> The communication between Autonomy and their OEM customers regarding
> which versions of their KeyView software that fix given vulnerabilities
> has failed again and again. This has been a mess to sort out and Secunia
> has had to spent hours verifying what e.g. was fixed by IBM and what was
> fixed by Symantec - because apparently the versioning of the KeyView
> software is different whether used by Symantec, IBM, or others.
> We've managed to figure this out and occasionally this has caused one of
> Autonomy's OEM customers to have unpatched publicly known
> vulnerabilities in their products. All thanks to Autonomy's apparent
> inability to co-ordinate the release of new vulnerability fixes with
> their customers.
> Now, Autonomy has become fed up with handling all these vulnerabilities
> and believe that it is time to control what Secunia writes about.
> Autonomy wants Secunia to withhold information about the fact that
> vulnerability SA27835 in Keyview Lotus 1-2-3 File Viewer, which has been
> fixed by IBM, obviously also affects Autonomy's own versions 9.2 and
> 10.3 of KeyView.
> According to Autonomy, publishing an advisory would be misleading and
> cause confusion because the issues already have been fixed; in fact,
> they believe that this would cause the public to believe that there are
> more issues in their product than is the case!
> Now that is an interesting logic.
> Sorry Autonomy, writing an advisory that states which vulnerabilities
> have been fixed and in which versions is in no way misleading or
> confusing - even for "historical" issues.
> What is really interesting here is the fact that the Vulnerability
> Database services offered by Autonomy's own customers IBM and Symantec
> (ISS X-Force and Securityfocus respectively) still (at the time of
> publishing) don't show information about the fact that patches are
> available for the Lotus 1-2-3 issue - while Secunia, who Autonomy
> accuses of publishing misleading information, correctly reflects the
> fact that Autonomy offers patches.
> However, this doesn't seem to be a concern for Autonomy or perhaps their
> legal department also treats their own customers in the same way as
> Secunia is treated?
> What is misleading and confusing in this whole case is the apparent lack
> of co-ordination between Autonomy and Autonomy's OEM customers, the lack
> of clear, precise public statements about vulnerabilities and security
> fixes.
> If Autonomy wants to avoid "misleading" and "confusing" communication,
> then Autonomy ought to start publishing bulletins such as those made by
> most other serious and established software vendors (e.g. Microsoft and
> their own customers IBM and Symantec) with clear information about the
> type of vulnerability, potential attack vectors, potential impacts,
> affected versions, and unaffected versions - it's really that simple.
> Naturally, Autonomy should also communicate to their own customers (IBM
> and Symantec) that patches addressing vulnerabilities are available so
> that both their products and their Vulnerability Database services are
> updated.
> *Our response to these claims and accusations*
> Despite Autonomy's unsubstantiated legal threats, Secunia will quite
> legally continue to do vulnerability research in Autonomy products and
> any other products of interest. Naturally, Secunia will also continue to
> publish research articles and advisories in an unbiased, balanced,
> accurate, and truthful manner as we serve one purpose only: To provide
> accurate and reliable Vulnerability Intelligence to our customers and
> the Internet in general.
> Secunia is in continuous, ongoing, and positive dialogues with most
> vendors including large professional organisations like Microsoft, IBM,
> Adobe, Symantec, Novell, Apple, and CA. All understand and respect the
> need for informing the public about vulnerabilities and prefer to
> co-ordinate and synchronise the publication with important Vulnerability
> Intelligence sources such as Secunia rather than battling to keep things
> secret. It is truly sad to see that certain vendors like Autonomy still
> behave like many software vendors did back in the previous millennium.
> Kindest regards,
> Thomas Kristensen
> CTO, Secunia
> Copies of all correspondence in this "matter" is available below in
> chronological order, enjoy:
> http://secunia.com/gfx/Email%20from%20Secunia%2020071128.pdf
> http://secunia.com/gfx/Letter%20from%20Autonomy%2020071202.pdf
> http://secunia.com/gfx/Email%20from%20Secunia%2020071203.pdf
> http://secunia.com/gfx/Letter%20from%20Autonomy%2020071203.pdf
> http://secunia.com/gfx/Email%20from%20Secunia%2020071204.pdf
> http://secunia.com/gfx/Letter%20from%20Autonomy%2020071205.pdf
> The above is also available in our blog:
> http://secunia.com/blog/15/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-- - simon ---------------------- http://www.snosoft.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/