[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bind 8 info update regarding ISS

Upfront, Like to recognize that ISS has been doing a
great job at finding very critical but obscure
vulnerabilities in popular services.  I'm guessing
that there has been alot of other security experts
that have audited the source code of Bind, SSH, etc
and overlooked the discrepencies that ISS picks up on.

Russ Cooper, the Surgeon General of TruSecure, blasted
ISS publicly on the Symantec Bugtraq mailing list with
an opinion on how ISS is irresponsible for not working
with the ISC to properly patch Bind and how they
unethically updated their own products. 

Here's updated information that clears up whether ISS
was acting responsible and properly gave notice to the
ISC BIND organization.  Maybe Russ should give ISS an
apology for jumping to conclusions without waiting for


Re:Did ISS tell bind maintainers? 

ISS and ISC worked together on this. ISS found the
vulns, ISC worked with the vendors, and both of us
worked with CERT and coordinated the announcements.

Paul Vixie
Chairman, ISC
Re:Did ISS tell bind maintainers? 
by Florian Weimer (fw@xxxxxxxxxxxxx) on Tuesday
November 12, @06:43PM (#4655265) 
(User #88405 Info | http://www.enyo.de/fw/)  
Does anyone know if ISS did the right thing, or are
they being big doo-doo-heads?

In this case, ISS did not rush ahead. This was a
coordinated release. Of course, something went
horribly wrong, but I don't think ISS is to blame for
it (maybe they could have warned ISC that their
approach wouldn't work out, though).  


Subject: Re: Bind 8 bug experience 
Date: Nov 14 2002 2:41PM 
Author: Olaf Kirch <okir@xxxxxxx> 
On Wed, Nov 13, 2002 at 12:04:31PM -0800, Jeremy C.
Reed wrote: > But I see the patches were made October
30 (if the dates are reliable).

In fact I believe ISC have been sitting on this for
almost a month.
The CVE IDs were assigned October 16, and I have
reason to believe that they learned of this no later
than October 23.

Members of BIND Forum were notified last week, from
what I'm told.

In my opinion, the main reason for ISC to use this
method of distributing the patches rather than going
through established channels (such as CERT) was to be
able to convince software vendors and other bodies
using/distributing BIND to become a member of BIND
forum. I don't know if that worked out, but I have my

>From my experience of the past two days, I believe
they did not expect there to be such a demand for the

** My Own Msg below To Russ **

Regarding Russ Cooper trying to shoot the messenger,
where ISS has reported BIND vulnerabilities, I have
not seen any evidence of ISS acting irresponsible.

It appears they have worked with the vendor to develop
patches and a fix. On ISC Bind's website, they thank
ISS in many places. ISS's advisory recommended several
work-arounds as well.  They did not release any
exploit code or demonstration code.  Their security
advisory is very benign compared to many other posts
on Bugtraq.

I don't understand Russ accusing ISS of violating the
code ethics of vulnerability disclosure by updating
their own security products against the
vulnerabilities.  It would seem ridiculous if they
DIDN'T update their products when they find
vulnerabilities.  I would hope any security company
who found vulnerabilities would update their products
as quickly as possible.  IMHO, If ISS finds a
vulnerability, they should update their products while
the vendor fixes their products.  

If TruSecure, Russ Cooper's employer, ever found a
vulnerability, I would expect them to update their
products also. When's the last time TruSecure spent
any R&D Money finding vulnerabilities and released an

Atleast ISS is helping find these vulnerabilities,
working with the vendors to correct, and if they want
to update their products and make money off of it, so
be it.  We still do live in a capitalistic society. 
ISS, Bindview, Foundstone, and any other security
company that finds holes and updates its products for
these new vulnerabilities will make their customers'
more protected; I think that is why they are in
business and that's why they invest in finding
vulnerabilities and fixing them.  

In the end, I'd rather have a security company find
the vulnerabilities and work with the vendor to fix,
then to stay in the dark and let the holes stay open
for intruders to exploit.

Mark Sala
System Admin

Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site