I’m not advocating CA give out
details of vulnerability exploits but at least tell us a fix has some level of security
consequences so that you could fairly assess whether to pay more
attention to it. Everyone’s very busy and makes a decision
whether or not to take time to apply and test a fix based on its perceived
impact to their system.
-----Original Message-----
From: VM/ESA and z/VM Discussions
[mailto:[EMAIL PROTECTED] On Behalf
Of Mike Walter
Sent: Friday, October 28, 2005
2:24 PM
To: [email protected]
Subject: Re: How to handle
security hole?
John,
Would
that be the unnamed product's "remove obsolete command" fix? :-)
If so.... VERY NICE catch!
Tough
call on documenting security fixes as such. It can be argued either way. However,
general internet users can't just access CA sites to scan fixes (at least we
should hope not!).
How
about if CA published the fix with the current obfuscation (I love that word),
and then following up with an e-mail to registered customers providing more
specific security warnings. That provides registered, paying, supported
customers with the information they need, and helps "hide" the fix
from anyone who might stumble across it.
Mike Walter
Hewitt
Associates
The
opinions expressed herein are mine alone, not my employer's.
|
"Romanowski, John
(OFT)" <[EMAIL PROTECTED]>
Sent
by: "VM/ESA and z/VM Discussions" <[email protected]>
10/28/2005 01:11 PM
|
|
I
alerted Computer Associates (CA) to a security hole in one of their
VM products that let's any VM userid control a VM
system that runs this
product. CA wrote a fix.
If your VM system's running this product without
the fix then it has
this security hole active now. The security
hole is installed by
default and there's no product installation step
or configuration
parameter that closes the hole.
CA and I have agreed to disagree on how well they
alert their customers
to the existence of security-related fixes
for VM products.
My question to all is would you rather CA labeled
VM product fixes as
security-related or not? Is security thru
obscurity better?
--------------------------------------------------------
This e-mail, including any attachments, may be
confidential, privileged or otherwise legally protected. It is intended only
for the addressee. If you received this e-mail in error or from someone who was
not authorized to send it to you, do not disseminate, copy or otherwise use
this e-mail or its attachments. Please notify the sender immediately by
reply e-mail and delete the e-mail from your system.
The information contained in this e-mail and any accompanying documents may
contain information that is confidential or otherwise protected from
disclosure. If you are not the intended recipient of this message, or if this
message has been addressed to you in error, please immediately alert the sender
by reply e-mail and then delete this message, including any attachments. Any
dissemination, distribution or other use of the contents of this message by
anyone other than the intended recipient is strictly prohibited.
�