Don, We take all exploit notifications seriously and are willing to work with the person to track down and correct the problem. Since we were unable to reproduce the problem from the information contained in the bugtraq message and were unaware of the author's intent in releasing a patch, we advised our users to not run the patch. In testing for this exploit we did find a buffer overrun and will be releasing a patch shortly.
John Korsak Product Marketing Manager ----- Original Message ----- From: "Don Weber" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 30, 2002 11:35 AM Subject: RE: [IMail Forum] > Scott, i recall the original bugtraq post, and my understanding was that it > was a full disclosure type of statement, as i understood it, he was > explaining the problem, and sent source code to reproduce the problem, yes > he sent a patch, but i didnt really feel that he was trying to get ppl to > run that, i think he was being quite outright in giving the source code he > used to create the patch, so that anyone could see that by viewing the > source and compiling from the source, they get the same program, in which i > have yet to see any evidence of that source or program containing a trojan, > mayb i just read it differently, but the last i seen on bugtraq was IPswitch > saying basically that there is no problem. this is what got my attention. > personally i am about in the middle of full disclosure practices, I agree > that informing the company to an extent is and should be attempted, but for > some reason i think this guy was just looked over, i mean you can see, he > reported a problem, and was told he was a hacker trying to get ppl to run a > trojan, do you think it might be possible that he may have informed > ipswitch, say, 2 weeks ago, and already got a response from them saying > there was no problem, and therefore he posted to bugtraq, from what i see > first hand in this matter is that, he reported an exploit and was told by > the company that there is no problem. which leads me to blv that he would > have got the same response had he followed standard procedure. look at > bugtraq yourself, this is exactly what happened. > > Don > > > >-----Original Message----- > > >From: [EMAIL PROTECTED] > > >[mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry > > >Sent: Tuesday, July 30, 2002 5:13 AM > > >To: [EMAIL PROTECTED] > > >Subject: Re: [IMail Forum] > > > > > > > > > > > >>i hope someone it ipswitch is paying attention to bugtraq, that > > >guys seems > > >>pretty convinced at least that there IS an exploitable hole. > > > > > >They definitely are paying attention, and have tried to > > >reproduce the problem. > > > > > >I, however, can give very little credibility to a hacker that sends a > > >program to thousands of people, trying to get them to run it, > > >claiming that > > >it is a patch. The standard procedure when finding a security > > >hole is to > > >inform the company that makes the product, give them time to fix it, and > > >then post information about the hole. Bypassing the step of > > >informing the > > >company is very unprofessional, and sending a patch that is almost > > >certainly a trojan horse -- well I'll let everyone come to their own > > >conclusion about that one. > > > > > >FWIW, Ipswitch has a very good track record in dealing with *legitimate* > > >security holes. > > > > > > -Scott > > >--- > > >Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for > > >IMail. http://www.declude.com > > > > > >--- > > >[This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > to be removed from this list. > > An Archive of this list is available at: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > Please visit the Knowledge Base for answers to frequently asked > questions: http://www.ipswitch.com/support/IMail/ > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > to be removed from this list. > > An Archive of this list is available at: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > Please visit the Knowledge Base for answers to frequently asked > questions: http://www.ipswitch.com/support/IMail/ > Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
