Feeds

Software maker releases the hounds on security vuln reporter

Too late

Build a business case: developing custom apps

Legal attack dogs for enterprise search provider Autonomy have threatened action against Secunia after the vulnerability publisher asked for information relating to a serious bug in an Autonomy product.

A series of nasty grams sent over the past week came in response to requests by Secunia researchers for information relating to security errors in Autonomy's Keyview SDK that could allow attackers to remotely execute malicious code on an end user's machine. The software is available as a stand-alone product and is also integrated into IBM's Lotus Notes and Symantec's Mail Security.

Although Autonomy appears to have patched the vulnerability some nine months ago, IBM only recently plugged the hole in various versions of its Lotus Notes products. That caught the attention of Secunia, which serves as a site of record for security vulnerabilities and, when available, patches that correct them.

According to documents posted here, a Secunia researcher emailed Autonomy asking for more details, specifically, what versions of the SDK are vulnerable and what versions are fixed by Autonomy's patch.

What followed was a letter from Autonomy's associate general counsel saying the vulnerability had already been fixed and arguing an advisory that publicly acknowledged the patch would only mislead and confuse people. It went on to threaten legal action should Secunia go ahead with an advisory.

"We demand that you withhold publication of your intended advisory (as well as any other advisory related to our products, including, without limitation any advisory related to Applix Graphics Parsing vulnerabilities) absent our prior express written consent and that you consult with us in full, and at least two weeks prior to any intended publication date, so that we may have a reasonable opportunity to resolve any issues in advance," the letter stated.

The flare-up is the latest example of the risks security researchers face when publicly exposing security bugs that potentially can have devastating effects on those using the faulty products. The biggest conflict to date came when Cisco Systems got a restraining order against researcher Michael Lynn to prevent him from discussing a flaw in one of the networking giant's routers. Oracle and Apple have also been known to have testy relationships with people criticizing the security of their products.

Autonomy's December 2 letter was followed by at least two more that warned Secunia of the consequences should it publish an advisory. Among other things, the legal broadsides threatened legal action if Autonomy determined Secunia had obtained the SDK code through illegal means.

"Rather than pursuing a letter writing campaign, suffice to say that we will not tolerate any publications regarding our company, our products, our services or our practices, which violate our intellectual property rights, or which give rise to any cause of action in equity or at law," the Autonomy attorney, Joel Scott, wrote on December 5. "While it is always our preference to resolve issues amicably, we are hopeful that you will ensure that Secunia remains in full compliance with all of its legal responsibilities and obligations, including to our customers and ourselves."

The irony is that Autonomy's missives relating to the anticipated article came three days after Secunia published this advisory about the Keyview bug. Did no one in Autonomy's legal department bother to check?

Update

After this story was published, Autonomy responded with a statement that read in part:

"When we believe users are going to be misled, presumably for reasons of self promotion, we make every effort to nicely ask that the organization publish full and accurate information. When the issue continues unresolved, we regret we have to ask more forcefully. All Secunia needs to do is publish the facts in full without leaving out important facts and Autonomy, Secunia and our users will be well served."

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?