[8965] in bugtraq
Re: SUN almost has a clue! (automountd)
daemon@ATHENA.MIT.EDU (Huger, Alfred)
Wed Jan 6 14:04:55 1999
Date: Tue, 5 Jan 1999 15:41:22 -0800
Reply-To: "Huger, Alfred" <Alfred_Huger@NAI.COM>
From: "Huger, Alfred" <Alfred_Huger@NAI.COM>
X-To: Andreas Bogk <ich@ANDREAS.ORG>
To: BUGTRAQ@NETSPACE.ORG
> -----Original Message-----
> From: Andreas Bogk [SMTP:ich@ANDREAS.ORG]
> Sent: Tuesday, January 05, 1999 4:41 AM
> To: BUGTRAQ@netspace.org
> Subject: Re: SUN almost has a clue! (automountd)
>
> On Mon, Jan 04, 1999 at 05:38:46PM -0800, Friedrichs, Oliver wrote:
> > It was never publicly noted, since the problem hasn't been fixed
> > yet (and as a security company, we aren't in the habit of
> > disclosing bugs which aren't fixed), however many people knew
>
[Huger, Alfred]
Experience shows that vendors don't move unless the bug is disclosed
The NAI Labs team which discovered the bug (apparently independently
of the previous poster) is the former SNI Team, insinuating that we are not
full disclosure would be entirely incorrect. Take a few minutes and check
the Bugtraq list archives for the last 2 years, you will see significant
participation from our team, from the infancy of this list up to now. This
bug simply did not strike us as an 'immediate post' issue. Had we felt it
was (and we will still do not think this is the case) we would have released
an advisory and hopefully received vendor support. If you looked at the 30
advisories we have released to this list you would note instances where we
posted with vendor support and instances where we did not. This issue simply
was not important enough to expedite and post without vendor support.
And all the script kiddies out there are probably very grateful for
that
Garbage, this insinuates we are somehow culpable for break-ins
because of the 'status-bounce' issue. Perhaps you should re-read the post
containing the description of the problem. The only 'get-root' here is the
automount problem for which there has been a patch available for some time.
If a machine has fallen prey to an attack via automount, the delivery
mechanism is not the issue here. Not only is this flippant remark
misdirected, it's cheap.
> --
