Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Database
    • IT Management

    Sybase to Security Researchers: Stay Quiet or Well Sue

    Written by

    Lisa Vaas
    Published March 22, 2005
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Sybase has threatened legal action against a security research firm if it releases details of vulnerabilities it found last year in Sybases Adaptive Server Enterprise product, even though Sybase already has issued patches for the flaws.

      Such threats of legal action are not unprecedented, but they typically come in the form of phone calls from vendors, not letters from lawyers, researchers say.

      NGS Software Ltd. found eight buffer-overrun and denial-of-service vulnerabilities in Sybase ASE 12.5.3 in 2004 and subsequently notified the company of the problems. Sybase Inc., based in Dublin, Calif., released an updated version of the software earlier this year and alerted customers that they should upgrade to the latest version.

      NGSS, based in Surrey, England, follows a self-imposed policy of not releasing specific details of any vulnerabilities it finds until after a vendor has either fixed the problem or has had ample time to do so and has decided not to release a patch, usually three months.

      The company had planned to release the details of the Sybase flaws on Monday, but that idea was scuttled when NGSS received a letter from Sybases legal department informing NGSS that it would be subject to legal action if the company went ahead with its plans to publish the details.

      David Litchfield, a research scientist and one of the founders of NGSS, told eWEEK.com that the crux of the matter involves the license agreement for the Developer Edition of Sybase ASE, which reads, in part: “Results of benchmark or other performance tests run on the program may not be disclosed to any third party without Sybases prior written consent.”

      According to Litchfield, Sybases letter states that, due to the license agreement clause, the company will consider it a “material breach” if NGSS publishes details on the security flaws.

      Sybase is thus equating NGSS work of finding security bugs as being the same as benchmarking and performance testing—a unique interpretation, at least in the history of NGSS.

      “Its shocking,” said NGSS researcher Mark Litchfield—David Litchfields brother—in an interview with eWEEK.com. “If you take at least the past eight years, weve never had a response like this. The typical response [from vendors] is favorable.

      “Theyll let us know when a patch has come in, well test it, theyll put an advisory out, well put an advisory out, theyll say, Come here to download the patch, and at that point well release an advisory saying theres a vulnerability and this is where you can get the patch.”

      NGSS working relationship with Sybase has been “excellent” up to now, Mark Litchfield said. “This is unprecedented for a vendor and for us, and weve dealt with IBM, Microsoft [Corp.], Oracle [Corp.], all the big ones,” he said. “This is completely new for us.”

      Next Page: NGSS says Sybase is being pressured by its Wall Street customer base.

      Pressure on Sybase

      ?”> NGSS is now seeking legal advice to see what it can and cant do, according to Mark Litchfield.

      In a post to the BugTraq security mailing list Monday, the company said that, given Sybases actions, it didnt feel comfortable publishing the full details of the research yet.

      “On the morning of March 21, NGSS received a letter from the Sybase legal team requesting that NGSS withhold technical details of these serious vulnerabilities indefinitely. Consequently, NGSS feels unable to publish the technical details of these bugs until the legal situation has been resolved,” the post said.

      In a follow-up posting later in the day, David Litchfield said Sybases legal maneuverings sent a bad message.

      “Lets face it, the details are there to anyone with a disassembler, anyway. This kind of legal threat achieves nothing other than to make legit researchers fearful about being sued if they find and publish security issues—even if they do so in a responsible manner,” Litchfield wrote. “In such a climate, security research will be driven underground—which is where the good guys really dont want to be.”

      David and Mark Litchfield are well-known in the security research community and are quite prolific, having found dozens of flaws in a range of enterprise products in the past few years. The pair were in the habit of releasing exploit code with some of their vulnerability advisories, but they abandoned that practice after the appearance of the Slammer worm in 2003.

      David Litchfield had written a white paper that included some instructions for exploiting the vulnerability that the worm attacked, and the worms author appropriated some of the sample code.

      Since then, the company has hewn to its policy of not releasing any details of a flaw until a fix is available. In fact, Sybase went so far as to thank NGSS for its restraint in the customer advisory the software vendor published on the ASE flaws.

      “Please note that to protect the security and integrity of the existing operating environments, NGS Software Ltd. has not published the details of the security vulnerabilities,” the company wrote in its advisory.

      “However, if NGS follows their stated policy, they will publish details of the issues they identified on or after March 21, 2005. Sybase Inc. appreciates the efforts of NGS to continually strengthen software throughout the industry by monitoring and testing.”

      Following inquiries, Sybase issued a statement saying it was “working closely” with NGSS to resolve the matter.

      “Sybase constantly strives to improve the security and functionality of its software,” the statement said. “Sybase appreciates the efforts of its customers and companies like NGS who occasionally find issues which are brought to Sybases attention. The issues identified by NGS have been fixed by Sybase, and the fixes have been and are available to customers here and here.

      “Sybases primary responsibility is to ensure the security of its customers, which include Fortune 50 companies and federal government entities, including branches of military, transportation and other agencies,” the statement said.

      “Sybase does not object to publication of the existence of issues discovered in its products. However, the company does not believe that publication of highly specific details relating to issues is in the best interest of its customers. As such, Sybase requires that any third-party disclosure of issues discovered in Sybase products be done in accordance with the terms of the applicable Sybase product license. Sybase has been working closely with NGS to resolve this matter.”

      This all likely amounts to pressure from Sybases customer base, Mark Litchfield said, which flooded Sybases support lines following NGSS initial filing of its report on the flaws. “Its probably pressure from the client base,” he said. “Most [of Sybases] money comes out of Wall Street.”

      Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Lisa Vaas
      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×