Secunia in Trouble for Discussing Flaw in its Advisory
An advisory that described critical vulnerabilities in software used for viewing document files and then printing them has resulted in an argument over revelation of software flaws, according to Secunia through correspondence in December 6, 2007.
Autonomy, the company which made the KeyView software development kit, issued an order for security firm Secunia to erase the vulnerability details from its public disclosure as the publicity could affect the reputation of the kit. This was evident from the exchange of e-mails and letters between Autonomy and Secunia and postings on the company blog of Secunia. Prior to release of the advisory on November 29, 2007, Secunia had identified several flaws in the development kit and found none in the other products that utilized the kit.
By exploiting the flaw, an attacker could carry out remote execution of malicious code on a user's system. The KeyView software can be found as a supporting product and also obtained as integrated into Symantec's Mail Security and IBM's Lotus Notes.
While Autonomy patched the flaw long back in February 2007, IBM has only recently fixed the bug in the different forms of its Lotus Note applications. This attracted Secunia's attention as the company specializes in recording security flaws and in patching them wherever possible.
News from The Channel Register reported that a researcher at Secunia had asked Autonomy over e-mail about additional details of the software, particularly which forms of the kit were vulnerable and which ones Autonomy had patched.
In response to this, Autonomy said in a statement that it encourages organizations, which publish complete information of any problem in software if the problem potentially misleads users, and also appreciates the initiatives of security firms and their services towards Autonomy customers. SecurityFocus published the statement on December 7, 2007.
The recent dispute shows how security researchers face risks when they publicly disclose security vulnerabilities that could potentially affect users of the flawed products. One conflict that rose to the highest level was when Cisco Systems was asked to restrain its researcher Michael Lynn from writing about a bug in the routers of a networking giant.
Related article: Sixem Worm Striking World Cup
» SPAMfighter News - 20-12-2007