Security experts are expressing outrage over legal threats from Sybase Inc. aimed at preventing a British research company from publishing details of serious flaws in one of the companys products.
The legal maneuvering would hurt users and vendors by thwarting dissemination of critical security information or by forcing researchers to publish advisories and code anonymously to avoid prosecution, the experts say.
The move by Sybase came last week as Next Generation Security Software Ltd. was preparing to publish the technical details of vulnerabilities in Sybases Adaptive Server Enterprise product.
Although NGS notified Sybase of the issues and the vendor released patches for the flaws three months ago, Sybase officials sent a letter notifying NGS that it would be in violation of Sybases EULA (end-user license agreement) if it published further information about the vulnerabilities.
The legal threat is based on a clause in the EULA that prohibits users from publishing the results of “benchmark or performance tests” without Sybases consent. Many software vendors have such clauses in their license agreements, but few in the research community expected such language to be applied to security testing, insiders say.
“Its shocking,” said Mark Litchfield, a co-founder of NGS, in Surrey, England. “If you take at least the last eight years, weve never had a response like this. The typical response [from vendors] is favorable.”
In a statement, Sybase, of Dublin, Calif., said: “Sybase does not object to publication of the existence of issues discovered in its products. However, the company does not believe that publication of highly specific details relating to issues is in the best interest of its customers. Sybase requires any third-party disclosure of issues discovered in Sybase products be done in accordance with the terms of the applicable Sybase product license.”
Many researchers said they were surprised by Sybases tactics but not by the fact that a software vendor was trying to stop vulnerability details from becoming public. If Sybase is successful, other vendors likely will follow suit, they said.
“Ive had legal threats in the past but never after the patch came out, and they usually go away with a little logic,” said Thor Larholm, senior security researcher at PivX Solutions Inc., in Newport Beach, Calif. “This will have a lot of implications, none of them positive. The only thing that will happen is that all of us good guys wont want to notify the vendor.”
In that scenario, Larholm said, the real losers are the vendors customers who wont have the technical details they need to verify a system vulnerability to a particular flaw. Meanwhile, if the same information circulates in the hacking underground, Larholm said, attackers will have more time to build exploits.
“People dont understand the ramifications of this. Things are even worse now in terms of the ability of hackers to reverse-engineer patches and binaries,” said Mark Loveless, a former hacker who now works as a security analyst at BindView Corp., in Houston. “If you take away the public details, they will stay in private circles, and some of the people in those circles have nefarious intent. Many of these guys are perfectly willing to go back underground. There are skilled hackers working hard to reverse-engineer that [Sybase] patch. I know some of them personally. Theres going to be exploit code out within a week.”