Rumors of MS involvement in Apache advisory

[jimlong at engineer.com (Jim Long)]

Regarding rumors of Microsoft involvement in ISS announcement
of Apache flaw:

Robert La Ferla Said:
> Apache (and the big bad monopoly tactic)

> ...However, ISS, a Microsoft partner, did not tell the Apache 
> developers first so no patch was available yet everyone running
> it was vulnerable. The article implied that Redmond is taking a
> new tactic on badmouthing open source software.

You did not say where the article was. I wanted to see how this 
rumor was started so I did some searching for the article. Since
I went to the trouble of finding out, I will share what I found
with the discuss list:

First, the original advisory by ISS was complimentary toward Apache:

"The Apache Project is an open-source and volunteer collaboration
aimed to create and maintain a free, feature-rich, powerful, and 
secure Web server implementation. Apache is well regarded as the 
best, freely available Web server."

http://online.securityfocus.com/archive/1/277249/2002-06-15/2002-06-21/0

The advisory also included this info about Internet Security
Systems (ISS): "Founded in 1994, Internet Security Systems (ISS)
(Nasdaq: ISSX)is a pioneer and world leader in software and 
services that protect critical online resources from an ever-
changing spectrum of threats and misuse. Internet Security Systems 
is headquartered in Atlanta, GA, with additional operations
throughout the Americas, Asia, Australia, Europe and the Middle 
East."

A poster on SlashDot said:
"I am also told that their patch doesn't fully solve the problem. 
I am sure though that by awaking us to the problem they will get a 
lot of great press just like any of the other companies currently 
using useless bug announcements as press releases."
http://apache.slashdot.org/apache/02/06/17/1948249.shtml?tid=172

Note: in the above "company" was a link to McAfee Anti-Virus, and 
"useless bug reports" was a link to commentary on "New Virus 
Infects Picture Files."

The Register noted the above posting and made it sound more sinister:
"There was a posting at Slashdot suggesting that ISS was using the
premature advisory as a publicity stunt; and while there's 
undoubtedly a lot to that, we have to wonder if there isn't 
something even creepier behind it. Here we see ISS publishing a 
vulnerability and a lame patch without so much as consulting the developer of an open-source product, but we've never seen them try 
to pull a stunt like that with Microsoft, say."
http://theregister.co.uk/content/4/25766.html

Robert mentioned that ISS is a Microsoft partner. This does not 
necessarily mean that MS has any role in ISS's announcement about 
Apache. ISS is a security solution company. My own feeling is they 
wanted to be the heroes who announced the problem and provided the
solution. Actually providing a poor solution was not to their, or 
Microsoft's benefit.

ISS partner information: ISS makes RealSecure)B? intrusion protection 
solution, which works on top of, or in conjunction with, other 
security products by ISS partners including Check Point 
VPN/Firewall, Netegrity SiteMinder, Top Layer attack Mitigator,
Invoc Alarmpoint, Nokia devices, and Microsoft ISA Server (Internet
Security and Acceleration Server 2000).

All-in-all, I think ISS wanted the publicity, but they goofed. In my
humble opinion rumors of Microsoft's involvement (in this
particular instance) are unfounded. 

Jim Long

-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

Save up to $160 by signing up for NetZero Platinum Internet service.
http://www.netzero.net/?refcd=N2P0602NEP8