Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Availability of Patches Stirs Controversy

    By
    Dennis Fisher
    -
    November 25, 2002
    Share
    Facebook
    Twitter
    Linkedin

      An apparent delay in the availability of patches for the vulnerabilities in BIND that were disclosed earlier this month is highlighting the seemingly endless debate over when and to whom vulnerability data should be released.

      Internet Security Systems Inc.s X-Force research team on Nov. 12 released an advisory warning of three newly discovered vulnerabilities in Berkeley Internet Name Domain Versions 4 and 8. One flaw allows a remote attacker to take over a vulnerable server and run whatever code he or she chooses.

      ISS officials said they did not believe that the vulnerabilities were known in the computer underground or were being actively exploited by crackers. The advisory also said patches for the problems were ready and provided an e-mail address at the Internet Software Consortium where users could request the patches.

      However, according to messages from BIND users posted on a security mailing list, the patches at the time of the advisory apparently were available only to organizations that had paid the ISC a fee to receive early warning of problems with BIND. The ISC, which maintains BIND, established a limited-distribution, early-notification mailing list last year when word of another batch of vulnerabilities leaked before patches were available.

      BIND runs on the vast majority of the Internets Domain Name System servers, a key part of the global networks infrastructure.

      The list was meant to give vendors some lead time to fix their software before an announcement went to the general public. However, in this case, the advisory hit the Internet at least 24 hours before the patches were available to most BIND users.

      That window of time when a vulnerability is publicly disclosed and the patch is released is at the heart of the full-disclosure debate about how much information to release and who should have access to it.

      Michael Brennen, president of FishNet Inc., a Plano, Texas, domain registrar, wrote in a message to BugTraq that he e-mailed the ISC and asked to be sent the patches. Brennen received a response about 8 hours later saying that he had been added to the patch announcement list. He also asked why the patches had not been made available at the time of the advisory.

      ISC officials told Brennen that they wanted to make sure that the right audience had the patches first.

      “My response to [the ISC] was that the right audience should change in relation to the announcement. As of the moment of the announcement, the right audience should be expanded to include all those placed at risk because they use the software,” Brennen wrote. “Failure to make the patches available suddenly puts many systems at rapidly increasing risk.”

      ISS security officials said they coordinated their release with the ISC.

      “Our understanding was that the patches were available to everyone” when the advisory was published, said Dan Ingevaldson, team lead for ISS X-Force, based in Atlanta. “We notified them of the vulnerabilities on Oct. 25. They knew when we were releasing it.”

      ISC officials, in Redwood City, Calif., said the patches were posted to the organizations site at about 7 p.m. EST Nov. 13.

      “Prior to this, as early as [Nov. 11], the patches were available for the asking to anyone who wasnt obviously going to reverse-engineer them for malicious purposes or distribute them without our permission,” said Lynda McGinley, program director of the ISC. “Unfortunately, we werent able to keep the patches from leaking out. Members of the BIND Forums early-security-notification announcements received the patches over the weekend.”

      In an e-mail interview, FishNets Brennen said he chose not to pay the fee to join the early-announcement list and is now preparing to remove BIND from his environment.

      “Ultimately, each of us has to take the final responsibility for the software we choose to use. There is a price to pay for all such choices, whether in money or time or development,” Brennen said. “No doubt some will choose to pay the ISC fees for early notification. I choose not to be held hostage. I will do what it takes to replace BIND in my systems.”

      In a BIND

      Timeline of events in BIND vulnerability report and patch process

      • Oct. 25 ISS reports vulnerabilities to ISC
      • Oct. 30 ISC produces patches
      • Nov. 9-10 Members of BIND Forum receive patches
      • Nov. 12 ISS releases advisory on BIND vulnerabilities
      • Nov. 13 Patches posted to ISC FTP server
      Dennis Fisher

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×