irresponsible disclosure
Written by jlgaddis on December 25, 2004 – 1:01 pm -By Erik Fichtner, Internet Storm Center Incident Handler.
Taken from Diary, 12/23/2004:
On 31 August 2004, Oracle released patch number 68 to correct a large number of vulnerabilities in nearly all production versions of the Oracle database software. In conjunction with this, the discoverer of these vulnerabilities released a notification that the flaws existed, that they deserved your attention, and that he was going to withhold details of the vulnerabilities for three months; until 31 November 2004, to give Oracle administrators ample time to patch, and the rest of the InfoSec community time to twiddle their thumbs aimlessly.
Likewise, said discoverer also found flaws in the IBM DB2 database, and released information on them with similar time parameters. 9 September 2004 to 1 December 2004.
1 December 2004 came and went with nary a mention of the details of any of these vulnerabilities.
Today, 23 December 2004; a time when many database administrators who have not already left on holiday vacation are starting to plan their extended holiday weekend, this “responsible discloser” lets the other shoe drop on these vulnerabilities. Pardon me, but exactly what message is this action trying to send? That if you failed to get your patching done before details of these flaws were released, you apparently deserve to have your holiday plans potentially ruined? For the record, I’m personally partial to the “full disclosure” method, but releasing exploit details immediately prior to a major holiday is mean, spiteful, and rude.
You could have waited until 1 January 2005 with no further ill effect, or released the information on 1 December 2004 as you originally promised.
David Litchfield, you sir, are a grinch. Nice going.
By the way, if you haven’t already patched; yes, they’re serious vulnerabilities. Oracle Link, IBM Link #1, and IBM Link #2.
The opinions contained within this diary entry are personal opinions, and not representative of the entire Internet Storm Center, or the SANS Institute, or really anyone else, for that matter.
Tags: security | No Comments »
