Rumors of MS involvement in Apache advisory
Jim Long
jimlong at engineer.com
Sat Jun 22 23:59:27 EDT 2002
Regarding rumors of Microsoft involvement in ISS announcement
of Apache flaw:
Robert La Ferla Said:
> Apache (and the big bad monopoly tactic)
> ...However, ISS, a Microsoft partner, did not tell the Apache
> developers first so no patch was available yet everyone running
> it was vulnerable. The article implied that Redmond is taking a
> new tactic on badmouthing open source software.
You did not say where the article was. I wanted to see how this
rumor was started so I did some searching for the article. Since
I went to the trouble of finding out, I will share what I found
with the discuss list:
First, the original advisory by ISS was complimentary toward Apache:
"The Apache Project is an open-source and volunteer collaboration
aimed to create and maintain a free, feature-rich, powerful, and
secure Web server implementation. Apache is well regarded as the
best, freely available Web server."
http://online.securityfocus.com/archive/1/277249/2002-06-15/2002-06-21/0
The advisory also included this info about Internet Security
Systems (ISS): "Founded in 1994, Internet Security Systems (ISS)
(Nasdaq: ISSX)is a pioneer and world leader in software and
services that protect critical online resources from an ever-
changing spectrum of threats and misuse. Internet Security Systems
is headquartered in Atlanta, GA, with additional operations
throughout the Americas, Asia, Australia, Europe and the Middle
East."
A poster on SlashDot said:
"I am also told that their patch doesn't fully solve the problem.
I am sure though that by awaking us to the problem they will get a
lot of great press just like any of the other companies currently
using useless bug announcements as press releases."
http://apache.slashdot.org/apache/02/06/17/1948249.shtml?tid=172
Note: in the above "company" was a link to McAfee Anti-Virus, and
"useless bug reports" was a link to commentary on "New Virus
Infects Picture Files."
The Register noted the above posting and made it sound more sinister:
"There was a posting at Slashdot suggesting that ISS was using the
premature advisory as a publicity stunt; and while there's
undoubtedly a lot to that, we have to wonder if there isn't
something even creepier behind it. Here we see ISS publishing a
vulnerability and a lame patch without so much as consulting the developer of an open-source product, but we've never seen them try
to pull a stunt like that with Microsoft, say."
http://theregister.co.uk/content/4/25766.html
Robert mentioned that ISS is a Microsoft partner. This does not
necessarily mean that MS has any role in ISS's announcement about
Apache. ISS is a security solution company. My own feeling is they
wanted to be the heroes who announced the problem and provided the
solution. Actually providing a poor solution was not to their, or
Microsoft's benefit.
ISS partner information: ISS makes RealSecure�)B™ intrusion protection
solution, which works on top of, or in conjunction with, other
security products by ISS partners including Check Point
VPN/Firewall, Netegrity SiteMinder, Top Layer attack Mitigator,
Invoc Alarmpoint, Nokia devices, and Microsoft ISA Server (Internet
Security and Acceleration Server 2000).
All-in-all, I think ISS wanted the publicity, but they goofed. In my
humble opinion rumors of Microsoft's involvement (in this
particular instance) are unfounded.
Jim Long
--
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup
Save up to $160 by signing up for NetZero Platinum Internet service.
http://www.netzero.net/?refcd=N2P0602NEP8
More information about the Discuss
mailing list