[14450] in bugtraq
Napster, Inc. response to Colten Edwards
daemon@ATHENA.MIT.EDU (Elias Levy)
Thu Mar 30 14:58:45 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000330115149.A27856@securityfocus.com>
Date: Thu, 30 Mar 2000 11:51:49 -0800
Reply-To: aleph1@SECURITYFOCUS.COM
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
----- Forwarded message from Jordan Ritter <jpr5@napster.com> -----
Date: Wed, 29 Mar 2000 13:50:05 -0800
From: Jordan Ritter <jpr5@napster.com>
To: aleph1@securityfocus.com
Subject: Napster, Inc. response to Colten Edwards
Message-ID: <20000329135005.A17554@napster.com>
Aleph --
I'm waiting for listserv to come through on my napster.com
subscription to bugtraq, but it's lagging. Please push this
through. Thanks.
--jordan
-----
BugTraq readership:
This email is in response to the recent post by Colten Edwards
regarding a potential buffer overflow in the Napster client
software.
The Napster Win32 client software does contain an overflow in its
messaging functionality, which includes public (chat) and private
(IM) messaging. The overflow only affects users of the Win32
Napster client, and could only be exploited through the use of a
rogue Napster client in conjunction with a Napster server.
Napster, Inc. reports NO indication that this vulnerability is
being exploited, and further would like to assure the general
public that the vulnerability is NOT an issue any longer.
Approximately one hour after receiving the post from BugTraq,
Napster's servers were patched to prevent this from occurring.
Users of the Napster Win32 client software are NOT vulnerable.
We would like to point out the unfortunate fact that we first
learned of this issue through BugTraq. The discovery of the
problem was apparently relayed briefly to the #napster channel on
EFnet IRC by Colten Edwards, before being posted to this list
approximately one hour later. Napster, Inc. was never notified of
this issue via phone, email, or across any other effective channel
of communication.
This situation is particularly disturbing to us, as Mr. Edwards'
malicious intent becomes painfully obvious from the tone and
candor of his post. To the best of our knowledge, the general
policy on BugTraq is that vendors should be notified of issues and
given a reasonable amount of time to address the problem, so as to
avoid unnecessary risk to the vendor's customers. A meaningful
notification from Mr. Edwards and a small amount of patience would
have resulted in a fix before the potential vulnerability put our
users at risk. Of course, understanding the time frame involved
and the intent of the post, we can only voice our dismay and
disapproval of Mr. Edwards' actions.
Thank you, and good day.
Jordan Ritter
Security Director
Napster, Inc.
Napster -- Music at Internet Speed
----- End forwarded message -----
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
