Feeds

Software maker releases the hounds on security vuln reporter

Too late

Choosing a cloud hosting partner with confidence

Legal attack dogs for enterprise search provider Autonomy have threatened action against Secunia after the vulnerability publisher asked for information relating to a serious bug in an Autonomy product.

A series of nasty grams sent over the past week came in response to requests by Secunia researchers for information relating to security errors in Autonomy's Keyview SDK that could allow attackers to remotely execute malicious code on an end user's machine. The software is available as a stand-alone product and is also integrated into IBM's Lotus Notes and Symantec's Mail Security.

Although Autonomy appears to have patched the vulnerability some nine months ago, IBM only recently plugged the hole in various versions of its Lotus Notes products. That caught the attention of Secunia, which serves as a site of record for security vulnerabilities and, when available, patches that correct them.

According to documents posted here, a Secunia researcher emailed Autonomy asking for more details, specifically, what versions of the SDK are vulnerable and what versions are fixed by Autonomy's patch.

What followed was a letter from Autonomy's associate general counsel saying the vulnerability had already been fixed and arguing an advisory that publicly acknowledged the patch would only mislead and confuse people. It went on to threaten legal action should Secunia go ahead with an advisory.

"We demand that you withhold publication of your intended advisory (as well as any other advisory related to our products, including, without limitation any advisory related to Applix Graphics Parsing vulnerabilities) absent our prior express written consent and that you consult with us in full, and at least two weeks prior to any intended publication date, so that we may have a reasonable opportunity to resolve any issues in advance," the letter stated.

The flare-up is the latest example of the risks security researchers face when publicly exposing security bugs that potentially can have devastating effects on those using the faulty products. The biggest conflict to date came when Cisco Systems got a restraining order against researcher Michael Lynn to prevent him from discussing a flaw in one of the networking giant's routers. Oracle and Apple have also been known to have testy relationships with people criticizing the security of their products.

Autonomy's December 2 letter was followed by at least two more that warned Secunia of the consequences should it publish an advisory. Among other things, the legal broadsides threatened legal action if Autonomy determined Secunia had obtained the SDK code through illegal means.

"Rather than pursuing a letter writing campaign, suffice to say that we will not tolerate any publications regarding our company, our products, our services or our practices, which violate our intellectual property rights, or which give rise to any cause of action in equity or at law," the Autonomy attorney, Joel Scott, wrote on December 5. "While it is always our preference to resolve issues amicably, we are hopeful that you will ensure that Secunia remains in full compliance with all of its legal responsibilities and obligations, including to our customers and ourselves."

The irony is that Autonomy's missives relating to the anticipated article came three days after Secunia published this advisory about the Keyview bug. Did no one in Autonomy's legal department bother to check?

Update

After this story was published, Autonomy responded with a statement that read in part:

"When we believe users are going to be misled, presumably for reasons of self promotion, we make every effort to nicely ask that the organization publish full and accurate information. When the issue continues unresolved, we regret we have to ask more forcefully. All Secunia needs to do is publish the facts in full without leaving out important facts and Autonomy, Secunia and our users will be well served."

Choosing a cloud hosting partner with confidence

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.