Feeds

Software maker releases the hounds on security vuln reporter

Too late

Protecting against web application threats using SSL

Legal attack dogs for enterprise search provider Autonomy have threatened action against Secunia after the vulnerability publisher asked for information relating to a serious bug in an Autonomy product.

A series of nasty grams sent over the past week came in response to requests by Secunia researchers for information relating to security errors in Autonomy's Keyview SDK that could allow attackers to remotely execute malicious code on an end user's machine. The software is available as a stand-alone product and is also integrated into IBM's Lotus Notes and Symantec's Mail Security.

Although Autonomy appears to have patched the vulnerability some nine months ago, IBM only recently plugged the hole in various versions of its Lotus Notes products. That caught the attention of Secunia, which serves as a site of record for security vulnerabilities and, when available, patches that correct them.

According to documents posted here, a Secunia researcher emailed Autonomy asking for more details, specifically, what versions of the SDK are vulnerable and what versions are fixed by Autonomy's patch.

What followed was a letter from Autonomy's associate general counsel saying the vulnerability had already been fixed and arguing an advisory that publicly acknowledged the patch would only mislead and confuse people. It went on to threaten legal action should Secunia go ahead with an advisory.

"We demand that you withhold publication of your intended advisory (as well as any other advisory related to our products, including, without limitation any advisory related to Applix Graphics Parsing vulnerabilities) absent our prior express written consent and that you consult with us in full, and at least two weeks prior to any intended publication date, so that we may have a reasonable opportunity to resolve any issues in advance," the letter stated.

The flare-up is the latest example of the risks security researchers face when publicly exposing security bugs that potentially can have devastating effects on those using the faulty products. The biggest conflict to date came when Cisco Systems got a restraining order against researcher Michael Lynn to prevent him from discussing a flaw in one of the networking giant's routers. Oracle and Apple have also been known to have testy relationships with people criticizing the security of their products.

Autonomy's December 2 letter was followed by at least two more that warned Secunia of the consequences should it publish an advisory. Among other things, the legal broadsides threatened legal action if Autonomy determined Secunia had obtained the SDK code through illegal means.

"Rather than pursuing a letter writing campaign, suffice to say that we will not tolerate any publications regarding our company, our products, our services or our practices, which violate our intellectual property rights, or which give rise to any cause of action in equity or at law," the Autonomy attorney, Joel Scott, wrote on December 5. "While it is always our preference to resolve issues amicably, we are hopeful that you will ensure that Secunia remains in full compliance with all of its legal responsibilities and obligations, including to our customers and ourselves."

The irony is that Autonomy's missives relating to the anticipated article came three days after Secunia published this advisory about the Keyview bug. Did no one in Autonomy's legal department bother to check?

Update

After this story was published, Autonomy responded with a statement that read in part:

"When we believe users are going to be misled, presumably for reasons of self promotion, we make every effort to nicely ask that the organization publish full and accurate information. When the issue continues unresolved, we regret we have to ask more forcefully. All Secunia needs to do is publish the facts in full without leaving out important facts and Autonomy, Secunia and our users will be well served."

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.