[Infowarrior] - Secunia faces legal threat over flaw advisory

Sat Dec 8 14:51:58 UTC 2007

Secunia faces legal threat over flaw advisory
Published: 2007-12-07

http://www.securityfocus.com/brief/640?ref=rss

An advisory describing serious flaws in a software module for viewing and
printing document files has become the focus of a dispute over the
disclosure of software vulnerabilities, according to correspondence
published by security firm Secunia on Thursday.

Autonomy -- the maker of the KeyView software development kit (SDK) which
adds document-printing and viewing functionality to applications -- demanded
that Secunia remove details of the flaws affecting the SDK from its public
database, according to the series of letters and e-mails between the two
companies and posted to Secunia's blog. Secunia published the advisory on
November 29, after identifying that several previous vulnerabilities
occurred in the SDK and not in third-party products that used the
development kit.

Several companies -- including IBM and Symantec, the owner of SecurityFocus
-- use the software development kit and have already patched flaws related
to KeyView in their products. Autonomy argued that, because those flaws had
already been disclosed and fixed, it should not be necessary for Secunia to
publish an additional advisory.

"In this particular situation, the security issue was already identified
some time ago by Autonomy and another security research firm and a fix was
quickly produced and made available to customers," the company said in a
statement sent to SecurityFocus. "When we believe users are going to be
misled, we make every effort to ask that an organization publish full and
accurate information. ... As other industry leaders do, we appreciate the
efforts of security research firms and the service they perform for our
customers, who are our number one priority."

Companies occasionally use legal threats against researchers and disclosure
sites for outing flaws in their products. In 2005, Sybase legally hobbled
Next-Generation Security Software, a research and services firm, to prevent
it from releasing details of a flaw that had already been fixed. The company
later allowed the release. In 2006, in an incident made murky by
nondisclosure agreements and media hype, security researcher David Maynor
and consumer technology maker Apple argued over the details of two wireless
flaws that affected the Mac OS X as well as Windows computers.

While the disclosure debate is a perennial topic at security conferences,
most companies have accepted the reports of flaws in their software products
could become public.

"There are definitely a lot of companies out there that think
vulnerabilities shouldn't be disclosed," Thomas Kristensen, chief technology
officer for Secunia, told SecurityFocus on Friday. "There are a lot of
companies that don't publish any information about vulnerabilities."

SecurityFocus is owned by Symantec and also published advisories (IBM,
Symantec) on the KeyView flaws.

If you have tips or insights on this topic, please contact SecurityFocus