[14462] in bugtraq
Re: Napster, Inc. response to Colten Edwards
daemon@ATHENA.MIT.EDU (Danny Crawford)
Fri Mar 31 16:29:24 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <001d01bf9aa8$2ff17600$29383fd8@swbell.net>
Date: Thu, 30 Mar 2000 18:29:33 -0600
Reply-To: Danny Crawford <drc@SOPHMAN.COM>
From: Danny Crawford <drc@SOPHMAN.COM>
X-To: aleph1@SECURITYFOCUS.COM, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
That's fnnny because I know of three ( one was me ) people that notified
Napster of this problem on IRC and via LAN line.
----- Original Message -----
From: "Elias Levy" <aleph1@SECURITYFOCUS.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Thursday, March 30, 2000 1:51 PM
Subject: Napster, Inc. response to Colten Edwards
> ----- Forwarded message from Jordan Ritter <jpr5@napster.com> -----
>
> Date: Wed, 29 Mar 2000 13:50:05 -0800
> From: Jordan Ritter <jpr5@napster.com>
> To: aleph1@securityfocus.com
> Subject: Napster, Inc. response to Colten Edwards
> Message-ID: <20000329135005.A17554@napster.com>
>
> Aleph --
>
> I'm waiting for listserv to come through on my napster.com
> subscription to bugtraq, but it's lagging. Please push this
> through. Thanks.
>
> --jordan
>
> -----
>
> BugTraq readership:
>
> This email is in response to the recent post by Colten Edwards
> regarding a potential buffer overflow in the Napster client
> software.
>
> The Napster Win32 client software does contain an overflow in its
> messaging functionality, which includes public (chat) and private
> (IM) messaging. The overflow only affects users of the Win32
> Napster client, and could only be exploited through the use of a
> rogue Napster client in conjunction with a Napster server.
>
> Napster, Inc. reports NO indication that this vulnerability is
> being exploited, and further would like to assure the general
> public that the vulnerability is NOT an issue any longer.
>
> Approximately one hour after receiving the post from BugTraq,
> Napster's servers were patched to prevent this from occurring.
> Users of the Napster Win32 client software are NOT vulnerable.
>
> We would like to point out the unfortunate fact that we first
> learned of this issue through BugTraq. The discovery of the
> problem was apparently relayed briefly to the #napster channel on
> EFnet IRC by Colten Edwards, before being posted to this list
> approximately one hour later. Napster, Inc. was never notified of
> this issue via phone, email, or across any other effective channel
> of communication.
>
> This situation is particularly disturbing to us, as Mr. Edwards'
> malicious intent becomes painfully obvious from the tone and
> candor of his post. To the best of our knowledge, the general
> policy on BugTraq is that vendors should be notified of issues and
> given a reasonable amount of time to address the problem, so as to
> avoid unnecessary risk to the vendor's customers. A meaningful
> notification from Mr. Edwards and a small amount of patience would
> have resulted in a fix before the potential vulnerability put our
> users at risk. Of course, understanding the time frame involved
> and the intent of the post, we can only voice our dismay and
> disapproval of Mr. Edwards' actions.
>
> Thank you, and good day.
>
>
> Jordan Ritter
> Security Director
> Napster, Inc.
>
> Napster -- Music at Internet Speed
>
> ----- End forwarded message -----
>
> --
> Elias Levy
> SecurityFocus.com
> http://www.securityfocus.com/
>
