Thus spake "Gert Doering" <gert@greenie.muc.de>
> I still think that *Cisco* should get their act together now, and quickly
> publish an official statement about which configurations are vulnerable
> and which ones aren't. Most of the facts are out anyway (check
> http://www.securitydatabase.net/forum/viewtopic.php?TopicID=3443).
See below.
Please consider the appropriateness of Cisco responding with details of the
vulnerability before CERT's advisory came out. Any information, such as how
to block the attack, can be used to determine the attack itself, and
therefore contributes to the very problem CERT et al are trying to solve.
In the absence of any known attacks, it is reasonable for CERT to delay full
disclosure by a week or so to ensure that end-users have a chance to obtain
patched products before the skript kiddiez learn how to attack them. This
does not mean they're trying to hide anything, just that they're trying to
be responsible.
Also note that many vendors offer enhanced support levels where pre-release
information is used to advise customers on their specific vulnerability and
needed changes, even if the vendor is not able to release the advisory's
text. For example, ISC offers such service on BIND.
> Cisco did handle it well - up to the point where the CERT advisory came
> out, pointing to a Cisco document that does not exist yet.
Cisco's advisory followed CERT's shortly. It was intended to come out
simultaneously, but last-minute factual corrections delayed it slightly.
S
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:04 EDT