Marketing for security companies now via Secunia!

<sarcasm>
A great new opportunity for IT security companies which sell products to detect bugs in software automatically (static analysis) – report some vulnerabilities after running your program on a bunch of software applications and feature your own product in the “Provided and/or discovered by” field without ever giving details of the error! The last one is important, never give details! That’s sleek, that’s modern that’s seemingly a new initiative by Secunia to support third party security companies. One of the first to take advantage of this new initiative is GLEG Ltd. from Russia.
</sarcasm>

One has to assume it is a new initiative by Secunia since all of the advisories show the following note: Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others. … emphasis mine! Although I wonder how someone can verify “unspecified errors” beyond letting the reporter swear an oath, let us look at these “advisories” at Secunia:

Now you will wonder: “Wait, doesn’t that guy work at FRISK, the company that produces F-PROT?” Yes I do. But to make it clear from the start 1.) this is a private statement and 2.) it was inspired by the fact that GLEG Ltd. was so kind to report an unspecified error which is just disinformation.

Of course every software contains bugs, one contains more the other less. But that’s not the point since it is a well-known and “accepted” problem of software. However, reporting an unspecified error is pointless, unless you want to endorse your own product such as the “VulnDisco Pack” by GLEG Ltd. Not only does it waste bandwidth, traffic and hard disk space, no it also consumes other precious resources such as developer time and brain power. Of course people at FRISK were first interested in finding out details to fix the bug as soon as possible only to be disappointed when finding that FUD on Secunias website, a renowned security company. Yes, it is FUD!

Let’s face it, the only parties that benefit from these sample advisories are GLEG Ltd. and Secunia – at the cost of the reputation of other companies. I am an advocate of full disclosure, but please full disclosure then! It is not even necessary to discuss whether it is moral or not to disclose vulnerabilities to the public rather than to the vendor first (which was AFAIK not done), because an attacker can take exactly the same amount of information from these “advisories”. None! Does the word “advisory” not come from “to advise”? I wonder what the advice is we should take from this FUD?

Last but not least here a simple comparison of the advisories named above (differences are red, insertions blue):

Description:
GLEG has reported a vulnerability in Microsoft Windows, which potentially can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error in Active Directory. No more information is currently available.

The vulnerability is reported in Windows Advanced Server 2000 SP4. Other versions may also be affected.

Solution:
Filter traffic to services and grant only trusted users access to reduce the risk.

Provided and/or discovered by:
Reported by GLEG Ltd. as part of the VulnDisco Pack.

Description:
GLEG has reported a vulnerability in F-PROT Antivirus, which potentially can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an unspecified error and can be exploited to cause a heap-based buffer overflow. No more information is currently available.

The vulnerability is reported in version 3.16f. Other versions may also be affected.

Solution:
No efficient solution is available due to lack of vulnerability information.

Provided and/or discovered by:
Reported by GLEG Ltd. as part of the VulnDisco Pack.

Description:
GLEG has reported a vulnerability in Helix DNA Server, which potentially can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an unspecified error and can be exploited to cause a heap-based buffer overflow. No more information is currently available.

The vulnerability is reported in versions 11.0 and 11.1. Other versions may also be affected.

Solution:
Filter traffic to services and grant only trusted users access to reduce the risk.

No efficient solution is available due to lack of vulnerability information.

Provided and/or discovered by:
Reported by GLEG Ltd. as part of the VulnDisco Pack.

Description:
GLEG has reported a vulnerability in eXtremail, which potentially can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an unspecified error. No more information is currently available.

The vulnerability is reported in version 2.1. Other versions may also be affected.

Solution:
Filter traffic to services and grant only trusted users access to reduce the risk.

Provided and/or discovered by:
Reported by GLEG Ltd. as part of the VulnDisco Pack.

Oh, and let’s not forget the note on the website of GLEG Ltd.:

NOTE: We sell information regarding software bugs, not the information how to hack systems.
All our products are intended for security specialists willing to improve their own knowledge or their systems security level.

Sure … and it is sold by literally blackmailing other companies through the reporting of unspecified errors. And how could such a company tell the customers “We fixed the bug” without purchasing the information or software regarding the bug from them (or lying to the customer)? Nice try, but … Нет спасибо!

It is worrying that a renowned company such as Secunia is risking its reputation by supporting this crap … I’ll follow up on this if I get new information.

// Oliver

This entry was posted in EN, IT Security, Software. Bookmark the permalink.

3 Responses to Marketing for security companies now via Secunia!

  1. reyortsed says:

    Nice one Secunia. Lets just report the world as a bug?

    I can see it now…

    “GLEG have discovered an potential undefined bug in an unknown software by an unknown company that could potentially be used to comprimise the system in an unspecified way”

    Solution: “Build a time machine, go back in time and prevent software and computers from EVER being invented”…

    I agree with the author of this blog, this is insane… that you seem to have to buy their software to get the info… as the author says full disclosure is FULL disclosure… come on Secunia, wipe that crap of your site!!!

  2. van says:

    well,
    Discovering bugs is tedious. Who will pay for if we accept the full-disclosure policy?

  3. Oliver says:

    Very good question. I am sure it will be possible to find a modus operandi. However, this method sounds more like blackmail:

    We know there is a vulnerability and we’ll tell everyone in a very abstract way that there is one – however, we’ll only disclose details if you pay us.

    Basically it is a service no one asked you to do, so the question who has to pay and why is a very good question indeed.

    However, I see that there is another problem. That is, that many vendors don’t consider security holes a threat. Either it results in a very relaxed handling of such vulnerabilities, the bugs being ignored or the PR department “trying to contain” the damage.

    // Oliver

Leave a Reply

Your email address will not be published. Required fields are marked *