<< Previous Next >>
vendors
On 3/23/2011 12:54 PM, Luigi Auriemma wrote:
>> I fundamentally disagree with the idea that public disclosure
>> as a means of vendor notification serves any purpose
> so now the question is, why don't all these "good guys" spend their
> personal time and skills to find these vulnerabilities and reporting
> them to the vendors before me?
>
> the answer is that usually such people don't have the skills or simply
> don't like the idea of doing a professional work completely for free and
> even with the obligation of doing everything the vendor wants before
> the releasing of the patch that can take months or even years...
> A lot of people are failing to see the vendors customer side of things.
> Industrial Control Systems (ICS), SCADA users, historically have their
> focus on availability (you don`t want you electricity/water/petrocehmicals
> being cut now do you) and safety (no one want to die making sure you get
> your electricity/water/petrochemicals), and security was never an issue
> because the SCADA systems were air gapped and the security needs were
> different that IT security.
Exactly the same arguments could have been brought up 15 years ago
against the then-disruptive and novel disclosure of vulnerabilities in
NetBSD is not distributed with IPSec support enabled by default, however Apple
OSX and various other derivatives are. There are so many NetBSD derived network
stacks that it is infeasible to check them all, concerned administrators are
advised to check with their vendor if there is any doubt.
Major vendors known to use network stacks derived from NetBSD were pre-notified
about this vulnerability. If I missed you, it is either not well known that you
use the BSD stack, you did not respond to security@ mail, or could not use pgp
properly.
Additionally, administrators of critical or major deployments of NetBSD (e.g.
CVE-C000-00FD
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
Microsoft
Google
Mikul
Apple
ISC
post.
1) 24 vulnerabilities mentioned in the initial Bugtraq post and on our
website were discovered both in software and hardware.
The weaknesses found span across multiple vendors, whose software /
hardware products were used to create digital satellite platform "N".
The platform here has more generic meaning - it is about devices,
but also about network and services.
Profiles of the vendors that received our vulnerability notices differ
- -- CVSS:
9.7, AV:N/AC:L/Au:N/C:C/I:C/A:P
- -- Affected Vendors:
Oracle
ZDI-10-032: SAP MaxDB Malformed Handshake Request Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-032
March 16, 2010
-- Affected Vendors:
SAP
-- Affected Products:
SAP MaxDB
April 2, 2010
-- CVE ID:
CVE-2010-0517
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
* Shellcode Exploit Development
* Application Protocols
* Product Security Testing
* Security Content Development (parsers, reports, alerts)
TELUS Security Labs provides a specialized portfolio of services to assist security product vendors with newly discovered commercial product vulnerabilities and malware attacks. Many of our services are provided on a subscription basis to reduce research costs for our customers. Over 50 of the world's leading security product vendors rely on TELUS Security Labs research.
http://www.telussecuritylabs.com/
June 8, 2010
-- CVE ID:
CVE-2010-1396
-- Affected Vendors:
Apple
-- Affected Products:
Apple WebKit
ZDI-10-090: Novell ZENworks Configuration Management Preboot Service Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-090
June 1, 2010
-- Affected Vendors:
Novell
-- Affected Products:
Novell Zenworks
June 21, 2010
-- CVE ID:
CVE-2010-2188
-- Affected Vendors:
Adobe
-- Affected Products:
Adobe Flash Player
April 2, 2010
-- CVE ID:
CVE-2010-0526
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
ZDI-10-107: Multiple Sourcefire Products Static Web SSL Keys Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-107
June 10, 2010
-- Affected Vendors:
Sourcefire
-- Affected Products:
Sourcefire 3D Sensor 1000
Sourcefire 3D Sensor 2000
June 25, 2010
-- CVE ID:
CVE-2010-2160
-- Affected Vendors:
Adobe
-- Affected Products:
Adobe Flash Player
May 11, 2010
-- CVE ID:
CVE-2010-1281
-- Affected Vendors:
Adobe
-- Affected Products:
Adobe Shockwave Player
June 8, 2010
-- CVE ID:
CVE-2010-1402
-- Affected Vendors:
Apple
-- Affected Products:
Apple WebKit
May 11, 2010
-- CVE ID:
CVE-2010-1551
-- Affected Vendors:
Hewlett-Packard
-- Affected Products:
Hewlett-Packard OpenView Network Node Manager
April 2, 2010
-- CVE ID:
CVE-2010-0492
-- Affected Vendors:
Microsoft
-- Affected Products:
Microsoft Internet Explorer
June 30, 2010
-- CVE ID:
CVE-2010-2202
-- Affected Vendors:
Adobe
-- Affected Products:
Adobe Reader
Adobe Acrobat
May 11, 2010
-- CVE ID:
CVE-2010-1555
-- Affected Vendors:
Hewlett-Packard
-- Affected Products:
Hewlett-Packard OpenView Network Node Manager
June 8, 2010
-- CVE ID:
CVE-2010-1404
-- Affected Vendors:
Apple
-- Affected Products:
Apple WebKit
June 8, 2010
-- CVE ID:
CVE-2010-1119
-- Affected Vendors:
Apple
-- Affected Products:
Apple WebKit
June 8, 2010
-- CVE ID:
CVE-2010-1398
-- Affected Vendors:
Apple
-- Affected Products:
Apple WebKit
April 2, 2010
-- CVE ID:
CVE-2010-0516
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
April 2, 2010
-- CVE ID:
CVE-2010-0528
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
June 8, 2010
-- CVE ID:
CVE-2010-1961
-- Affected Vendors:
Hewlett-Packard
-- Affected Products:
Hewlett-Packard OpenView Network Node Manager
May 11, 2010
-- CVE ID:
CVE-2010-1552
-- Affected Vendors:
Hewlett-Packard
-- Affected Products:
Hewlett-Packard OpenView Network Node Manager
April 2, 2010
-- CVE ID:
CVE-2010-0519
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
April 2, 2010
-- CVE ID:
CVE-2010-0060
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
<<Previous Next>>
|
