On Wed, Dec 7, 2011 at 2:26 AM, Carl-Johan Bostorp <[email protected]> wrote: > So it looks like HP is getting sued in a class action lawsuit over the > firmware upgrade “potential security vulnerability”. It’s claimed that HP > knew about the vulnerability, but failed to disclose it, and this > constitutes an “unfair” business act. > https://docs.google.com/gview?url=http://docs.justia.com/cases/federal/district-courts/california/candce/5:2011cv05779/248220/1/0.pdf?1322863230&chrome=true The 'unfair business practice' is an interesting new angle. The evolution makes sense to me (a legal layman) since other initiatives never seem to gain traction. I know its apples to oranges, but I've never seen a class action for a data loss survive - it would be nice to see some headway made.
> This is the first case I’ve heard of where this happens. Will be really > interesting to see what happens. With any luck, vendors will have to at > least disclose the shit they choose not to fix. > http://www.digitalbond.com/2011/11/08/advantech-webaccess-first-on-insecure-products-list/ > … but then again, there are gradients here that can be difficult to rule. Excessive patch times are a bit bewildering at times. Apple, IBM, and Microsoft would probably make the list: https://krebsonsecurity.com/2011/11/apple-took-3-years-to-fix-finfisher-trojan-hole/ (Apple update code, 3 years), http://www.zerodayinitiative.com/advisories/ZDI-10-022/ (IBM Informix librpc.dll Multiple Remote Code Execution, 2 years), and http://linuxbox.org/pipermail/funsec/2010-April/024746.html (Microsoft GDI vulnerability, 2 years). > How much would a vendor have to disclose of vulnerabilities known but not > fixed? Do they get any grace period on fixing these vulnerabilities, or must > they be made public as soon as they know *anything* ? Or is it just when > they decided not to fix it? If so, can we then expect vendors to have > vulnerabilities rated as “undetermined” for years? Maybe a 6 months grace > period from vendor notification to people starting to sue? What about > severity of vulnerability? Another interesting question, but recall that Microsoft never released details of MS09-048 since a 'properly configured' server with a 'properly operating' firewall was not at risk (supposedly). People were actually looking for 3rd party patches http://seclists.org/bugtraq/2009/Sep/116. Jeff _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
