Page Two

By Dennis Fisher  |  Posted 2002-11-15 Print this article Print

: BIND Flaws Reignite Security Debate"> Michael Brennen, president of FishNet Inc., a Plano, Texas, domain registrar, wrote in a message to BugTraq that he emailed the ISC and asked to be sent the patches. He received a response about eight hours later saying that he had been added to the patch announcement list. Brennen also asked why the patches had not been made available at the time of the advisory. The ISC told him that they wanted to make sure that the right audience had the patches first.
"My response to [the ISC] was that the right audience should change in relation to the announcement. As of the moment of the announcement, the right audience should be expanded to include all those placed at risk because they use the software," Brennen wrote. "Failure to make the patches available suddenly puts many systems at rapidly increasing risk."
ISS security officials said they coordinated their release with the ISC. "Our understanding was that the patches were available to everyone" when the advisory was published, said Dan Ingevaldson, team lead for ISS X-Force, based in Atlanta. "We notified them of the vulnerabilities on Oct. 25. They knew when we were releasing it." ISC officials said the patches were posted to the organizations site at about 7 p.m. EST Wednesday. "Prior to this, as early as Monday the patches were available for the asking to anyone who wasnt obviously going to reverse engineer them for malicious purposes or distribute them without our permission," said Lynda McGinley, program driector of the ISC. "Unfortunately, we werent able to keep the patches from leaking out. Members of the BIND Forums early security notification announcements received the patches over the weekend." One post to the BugTraq mailing list said the patches were posted to the ISC FTP server late Wednesday night. However, the time stamp on the patches indicates they were produced on Oct. 30, leaving open the question of why they werent available when the advisory went out Nov. 12. In an e-mail interview, Brennen said he chose not to pay the fee to join the early announcement list and is now preparing to remove BIND from his environment. "Ultimately each of us has to take the final responsibility for the software we choose to use. There is a price to pay for all such choices, whether in money, or time, or development," Brennen said. "No doubt some will choose to pay the ISC fees for early notification. I choose not to be held hostage. I will do what it takes to replace BIND in my systems." (Editors Note: This story has been updated since its original posting to include comments from the ISCs Lynda McGinley.)


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel