Cisco IOS Exploit Cover Up

• Previous message (by thread): Cisco IOS Exploit Cover Up
• Next message (by thread): Cisco IOS Exploit Cover Up
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thus spake "James Baldwin" <jbaldwin at antinode.net>
> Moreover, the fix for this was already released and you have not been 
> able to download a vulnerable version of the software for months  however 
> there was no indication from Cisco regarding the severity of  the required 
> upgrade. That is to say, they knew in April that  arbitrary code execution 
> was possible on routers, they had it fixed  by May, and we're hearing 
> about it now and if Cisco had its way we  might still not be hearing about 
> it.

Cisco's policy, as best I can tell, is that they patch security holes 
immediately but delay notification until either (a) six months pass, or (b) 
an exploit is seen in the wild.  The former is intended to give customers 
ample time to upgrade to patched versions (often without their knowledge) 
without tipping their hand to the "bad guys".  However, a CERT advisory is 
prepared and ready for immediate distribution if the latter occurs.

> How many network engineers knew there was a potential problem of
> this magnitude at the beginning of May? If, knock on wood, someone
> had released this code into the wild then how many networks who
> have been vulnerable despite the availability of a fix?

There are network engineers that knew, but they couldn't admit it due to 
NDAs.  This is one of the benefits of buying "high touch" support 
contracts -- and Cisco is not alone in that model.

S

Stephen Sprunk      "Those people who think they know everything
CCIE #3723         are a great annoyance to those of us who do."
K5SSS                                             --Isaac Asimov 

• Previous message (by thread): Cisco IOS Exploit Cover Up
• Next message (by thread): Cisco IOS Exploit Cover Up
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]