Sybase to Security Researchers: Stay Quiet or Well Sue

In a post to the BugTraq security mailing list Monday, the company said that, given Sybases actions, it didnt feel comfortable publishing the full details of the research yet.

"On the morning of March 21, NGSS received a letter from the Sybase legal team requesting that NGSS withhold technical details of these serious vulnerabilities indefinitely. Consequently, NGSS feels unable to publish the technical details of these bugs until the legal situation has been resolved," the post said.

In a follow-up posting later in the day, David Litchfield said Sybases legal maneuverings sent a bad message.

"Lets face it, the details are there to anyone with a disassembler, anyway. This kind of legal threat achieves nothing other than to make legit researchers fearful about being sued if they find and publish security issues—even if they do so in a responsible manner," Litchfield wrote. "In such a climate, security research will be driven underground—which is where the good guys really dont want to be."

David and Mark Litchfield are well-known in the security research community and are quite prolific, having found dozens of flaws in a range of enterprise products in the past few years. The pair were in the habit of releasing exploit code with some of their vulnerability advisories, but they abandoned that practice after the appearance of the Slammer worm in 2003.

David Litchfield had written a white paper that included some instructions for exploiting the vulnerability that the worm attacked, and the worms author appropriated some of the sample code.

Since then, the company has hewn to its policy of not releasing any details of a flaw until a fix is available. In fact, Sybase went so far as to thank NGSS for its restraint in the customer advisory the software vendor published on the ASE flaws.

"Please note that to protect the security and integrity of the existing operating environments, NGS Software Ltd. has not published the details of the security vulnerabilities," the company wrote in its advisory.

"However, if NGS follows their stated policy, they will publish details of the issues they identified on or after March 21, 2005. Sybase Inc. appreciates the efforts of NGS to continually strengthen software throughout the industry by monitoring and testing."

Following inquiries, Sybase issued a statement saying it was "working closely" with NGSS to resolve the matter.

"Sybase constantly strives to improve the security and functionality of its software," the statement said. "Sybase appreciates the efforts of its customers and companies like NGS who occasionally find issues which are brought to Sybases attention. The issues identified by NGS have been fixed by Sybase, and the fixes have been and are available to customers here and here.

"Sybases primary responsibility is to ensure the security of its customers, which include Fortune 50 companies and federal government entities, including branches of military, transportation and other agencies," the statement said.

"Sybase does not object to publication of the existence of issues discovered in its products. However, the company does not believe that publication of highly specific details relating to issues is in the best interest of its customers. As such, Sybase requires that any third-party disclosure of issues discovered in Sybase products be done in accordance with the terms of the applicable Sybase product license. Sybase has been working closely with NGS to resolve this matter."

This all likely amounts to pressure from Sybases customer base, Mark Litchfield said, which flooded Sybases support lines following NGSS initial filing of its report on the flaws. "Its probably pressure from the client base," he said. "Most [of Sybases] money comes out of Wall Street."

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.