Sybase Drops Gag Threat Against Security Research Co.

By Lisa Vaas  |  Posted 2005-04-05

Sybase Drops Gag Threat Against Security Research Co.

Sybase has dropped its threat of legal action and allowed a security research company to release information about previously addressed database vulnerabilities.

Next Generation Security Software Ltd. on Tuesday published details of six security flaws in Sybase Adaptive Server Enterprise.

NGSS initially reported the flaws—six buffer overflows and one denial of service—to Sybase Inc. last year. Sybase, based in Dublin, Calif., released an updated version of the software earlier this year and alerted customers that they should upgrade to the latest version.

NGSS, based in Surrey, England, follows a self-imposed policy of not releasing specific details of any vulnerabilities it finds until after a vendor has either fixed the problem or had ample time to do so and decided not to release a patch—usually three months.

The company intended to release details of the database flaws on March 21 of this year but slammed on the brakes after receiving a letter from Sybases legal department. The letter cited licensing policy that, it said, meant NGSS would be subject to legal action if the company went ahead with its plans to publish the details.

Click here to read more about Sybases legal threat against security research company NGSS.

Some members of the security community were outraged by what appeared to be Sybases attempt to gag researchers.

For their part, NGSS researchers said they were startled by the unprecedented action. "From our point of view, its pretty shocking," said Chris Anley, NGSS director. "Theres a fair bit of zero-day disclosure out there, or disclosure that includes exploit code. You could call it pretty irresponsible. … Our disclosure policy of waiting three months after to disclose details, thats pretty much the most responsible policy of security firms out there."

What followed were a few weeks of back-and-forth between the big database vendor and the little security firm, Anley said. "We had a few rounds of discussions about what we were going to publish and how we were going to do it, and we finally reached a level of detail that both sides were happy with," he said. "All we wanted to do was make sure the technical information got out, and all Sybase wanted to do was make sure they had a reasonable measure of control."

Kathleen Schaub, vice president of product marketing for Sybases Information Technology and Solutions group, said the fracas was essentially caused by miscommunication.

"The original intention was simply to make sure that there was nothing that was being done that would actually make the situation worse for our customers," she said. "It was more of an asking for more information, more lets think about this, wait a second, this makes us a little nervous to not know whats being disclosed kind of thing," Schaub said.

As soon as Sybase was alerted to the fact that miscommunication had occurred, the company got in touch with NGSS to tell the firm its real intention, she said, and to work through what would be said in the advisory.

Next Page: Sybases edits were "trivial," according to NGSS.

Sybases Edits Were Trivial

The subsequent editing was trivial, Anley said, being concerned with level of detail and language involved. "If you read the advisory, theres enough technical information for people to make a realistic assessment of the impact of the bugs to their organization, and they can work out what they want to do with them. Thats why we wanted to make sure the details were published."

NGSS took care in the exchange of e-mails to ensure that evidence of mitigation made its way into the final draft of the advisory, Anley said.

Thats important to ensure that database administrators have enough information to make sound decisions about patch application, he said.

"Realistically, one major reason administrators want details is so they can make mature assessments of what the impact is of these bugs," Anley said. "How much does it affect them? If this database is a back end for my server, what are [the bugs] vectors? How likely is it that someone can take control of my database?"

Beyond that, the advisory is 95 percent of what NGSS wrote in the first place, Anley said.

The agreement reached between NGSS and Sybase pertains only to the bugs in question, not to any future vulnerability discoveries, Anley said. Hence, the question remains as to the extent to which vendors will be newly emboldened when it comes to meddling with researchers.

This incident could be a harbinger of a future test case in which the legality of license agreements to restrict customers ability to talk about a given product is put to the test, Anley said.

On the plus side, Anley said, Sybase was open to coming to a reasonable solution. "Weve all got mortgages to pay. We dont want to be threatened by large companies, whether theyve got a case or not," he said. "I dont know what initiated the process on their side: why they thought it was a good idea. Certainly we werent going to just sit back and say, All right then, were not going to publish that. But it wasnt a hugely confrontational thing. They just wanted to find an amicable solution. At the end of the day, we both have the interests of Sybase customers at heart."

For its part, Sybase intends to be a "little more proactive" in working with security firms that contact the company, Schaub said. "Frankly, this doesnt happen to us this often," she said. "There were a couple of incidents over the last couple years, but its not something we run into a whole lot."

Check out eWEEK.coms for the latest database news, reviews and analysis.

Rocket Fuel