By Brian Krebs
January 11th, 2010
January promises to be a busy month for Web server and database
administrators alike: A security research firm in Russia says it plans
to release information about a slew of previously undocumented
vulnerabilities in several widely-used commercial software products.
Evgeny Legerov, founder of Moscow based Intevydis, said he intends to
publish the information between Jan 11 and Feb 1. The final list of
vulnerabilities to be released is still in flux, Legerov said, but it is
likely to include vulnerabilities (and in some cases working exploits)
- Web servers such as Zeus Web Server, Sun Web Server
(pre-authentication buffer overflows);
- Databases, including Mysql (buffer overflows), IBM DB2 (local root
vulnerability), Lotus Domino and Informix
- Directory servers, such as Novell eDirectory, Sun Directory and Tivoli
In an interview with krebsonsecurity.com, Legerov said his position on
vulnerability disclosure has evolved over the years.
"After working with the vendors long enough, we've come to conclusion
that, to put it simply, it is a waste of time" Now, we do not contact
with vendors and do not support so-called 'responsible disclosure'
policy," Legerov said. For example, he said, "there will be published
two years old Realplayer vulnerability soon, which we handled in a
responsible way [and] contacted with a vendor."
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News