[12788] in bugtraq

home help back first fref pref prev next nref lref last post

Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0

daemon@ATHENA.MIT.EDU (Arvel Hathcock)
Wed Dec 1 12:34:39 1999

X-Mdaemon-Deliver-To: bugtraq@securityfocus.com
Message-Id:  <MDAEMON-F199911301617.AA172323md50000081568@altn.com>
Date:         Tue, 30 Nov 1999 16:17:23 -0600
Reply-To: Arvel@altn.com
From: Arvel Hathcock <Arvel@ALTN.COM>
X-To:         bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM

Many thanks for providing me an opportunity to respond to the recent
DoS issue reported to Bugtraq.  First, let me say that a hotfix
for all our MDaemon/WorldClient Standard customers is available here:

http://www.mdaemon.com/helpdesk/hotfix.htm

and has been available since the very day the problem was brought to
our attention (which was Thanksgiving day I think).  This hotfix is for
MDaemon 2.8.5.0 and higher.

A hotfix for WorldClient Pro is available here:

http://www.worldclient.com/helpdesk/hotfix.cfm

11/30/99 we will release full patches for both products.

Another issue related to 350 simultaneous MDConfig connections has
recently surfaced at ASCII Japan.  MDaemon can be configured to allow
secure MDConfig connections which will prevent this problem from ever
occurring.  This can be done now, however the 11/30/99 full patch will
contain additional coding to prevent such a problem from occuring in
the event that the system admin has left the port wide open for anyone
to exploit.

I am a strong supporter in what groups like Bugtraq and NTBugtraq are
doing and I believe that freely sharing information on security issues
is good for the consumer and good for the software industry as a
whole.  However, I deplore the methods that 'USSRLabs' and others
employ to this end.  Their statement that they have 'contacted the
vendor' is patently false.  No one in our organization was contacted.
I'm certain I speak for many software vendors when I say that groups
like 'USSRLabs' are not really taken seriously.  Their practices seem
to be motivated by a lust for self aggrandizement rather than a genuine
interest in software quality.  The fact is, no one cares (or even
remembers) who discovers a problem with some piece of software.  The
only thing the consumer cares about is getting the problem fixed.  I'm
proud to say that Alt-N has a reputation for quickly fixing any and all
such problems and I'm very proud that over our 4 1/2 year history only
two such problems (counting this one) have ever been discovered.

In conclusion, we found out about this particular issue the same way
everyone else did - via a mailing list post.  But that's ok with us
because the relationship we have with our customers is such that we do
not hide our mistakes from them.  We are not ashamed of problems
because we don't consider ourselves to be gods who are above human
error.  The relationship we have with our customers is not built upon
a 'no mistakes' expectation.  Rather, it is founded on a history of
providing solutions to problems, no matter how large or small, with a
promptness that only small companies like ours can provide.  For the
sake of our customers, not our reputation, it is unfortunate that we
were not contacted earlier as the 'USSRLabs' report falsely claims to
be the case.

Arvel Hathcock
Alt-N Technologies - http://www.altn.com
----------------------------------------
MDaemon - http://www.mdaemon.com
RelayFax - http://www.relayfax.com
WorldClient - http://www.worldclient.com
----------------------------------------

home help back first fref pref prev next nref lref last post