North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: IBM report reviews Internet crime

  • From: Florian Weimer
  • Date: Wed Feb 13 06:22:22 2008

* Owen DeLong:

> On Feb 12, 2008, at 11:46 AM, Florian Weimer wrote:
>
>> * Owen DeLong:
>>
>>> If the vulnerability cannot be corrected through a vendor patch,
>>> then, one has to wonder what, exactly the vulnerability is.
>>
>> You assume that a vendor patches a vulnerability once they learn
>> about it.  In my experience, this is not true.  Sometimes it's easy
>> to explain (product or vendor ceased to exist), sometimes it's not
>> (some cross- site scripting issues I'm trying to straighten out;
>> minor bugs to you perhaps, but huge media exposure because of their
>> visibility and reproducibility--think FDIV bug).
>
> No, I presume that a vulnerability identified as "cannot be resolved
> through vendor patch" means a vulnerability for which, even if a
> vendor patch were available, it would not resolve the vulnerability.

These vulnerabilities surely exist, but they are usually not considered
software vulnerabilities as such, and are usually not part of such
vulnerability reports.  (A popular example are attacks on the Ebay
transaction protocol.)

> A vulnerability for which a patch is not yet available, but, which
> could be resolved if the vendor released a patch is a vulnerability
> which "CAN be resolved through vendor patch when one becomes
> available."

I wouldn't view it this way, but I can understand that this is a
possible interpretation.

> It is unclear from the text provided which of our conflicting
> definitions for the term applies in IBM's text.

True, I'll try to get clarification.