[16491] in bugtraq
Re: Remote DoS Attack in Eeye Iris 1.01 and SpyNet CaptureNet
daemon@ATHENA.MIT.EDU (Valdis Kletnieks)
Fri Sep 1 16:53:20 2000
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_-992760622P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Message-ID: <200009011629.e81GT6026452@black-ice.cc.vt.edu>
Date: Fri, 1 Sep 2000 12:29:05 -0400
Reply-To: Valdis.Kletnieks@VT.EDU
From: Valdis Kletnieks <Valdis.Kletnieks@VT.EDU>
X-To: "Jay D. Dyson" <jdyson@TREACHERY.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Thu, 31 Aug 2000 14:41:33 PDT."
<Pine.GSO.3.96.1000831142857.22070A-100000@crypto>
--==_Exmh_-992760622P
Content-Type: text/plain; charset=us-ascii
On Thu, 31 Aug 2000 14:41:33 PDT, "Jay D. Dyson" <jdyson@TREACHERY.NET> said:
> That a product is in Beta means that the vendor has a distinctly
> open-door policy on any bug reports regarding the software. Beta == Bugs.
On the other hand, SOME things sort of wedge in 'beta' for forever. For
instance, the 'ICQ-Java' application from www.mirabilis.com has been
at a beta 0.981a level since at least Jan 1998. For that matter, I just
checked their download page, and ALL the ICQ versions are marked 'beta'.
However, there's an INCREDIBLE number of ICQ users - does this mean that
there shouldn't be an alert if there's a problem? Seems to me that it would
be even MORE important to issue an advisory.
> No surprise there. ...Yet when a product is no longer supported, issuing
> a DoS exploit against it isn't only yesterday's news...it's slapping the
> jellied *remains* of a dead horse.
And maybe you *need* to slap the jellied remains to get people to upgrade
and migrate. Somebody just posted to the XEmacs list with a bug report
that XEmacs fails to build in the X11R4 environment that SunOS 4.1.4
provides. Should people on those systems not be told "Hey, there's an
issue here", just because their vendor has dropped support?
And remember - people on beta or unsupported systems may need exploits
*MORE* - because they need tools to see if they are vulnerable, or
whether their local patch has addressed the issue, etc etc etc.
Consider the recent rpc.statd exploit - if it had included "and oh, yeah,
FooBarOS 7.1 is vulnerable too", and FooBar Inc had gone belly up, what do
the legacy users use to test? An exploit known to work is a BIG step
up - there's a lot of people out there who can apply a patch, but aren't
able to craft an exploit themselves. If they have one that works to start,
they can be pretty confident when they've closed the actual hole, as opposed
to merely having been unable to get the exploit to work.
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
--==_Exmh_-992760622P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
Comment: Exmh version 2.2 06/16/2000
iQA/AwUBOa/ZUXAt5Vm009ewEQK36ACeNSXf062ahD2WczmkUQuoSyVqud8AmQFD
qqvI+SArQF/HDrRpsr/23O54
=YWwR
-----END PGP SIGNATURE-----
--==_Exmh_-992760622P--
