Autonomy threatens legal action over vulnerability alert

Autonomy threatens legal action over vulnerability alert

Summary: According to back-and-forth correspondence released by Secunia, the San Francisco-based Autonomy is threatening legal action to force the flaw alert aggregator to "suppress significant information about vulnerabilities in [its] products."

SHARE:
TOPICS: Security
12

Unhappy with Secunia's plans to call attention to an already-patched vulnerability in its KeyView product, enterprise search vendor Autonomy is threatening to wield the legal hammer.

According to back-and-forth correspondence released by Secunia, the San Francisco-based Autonomy is threatening legal action to force the flaw alert aggregator to "suppress significant information about vulnerabilities in [its] products."

Secunia CTO Thomas Kristensen offers the background:

Autonomy wants Secunia to withhold information about the fact that vulnerability SA27835 in Keyview Lotus 1-2-3 File Viewer, which has been fixed by IBM, obviously also affects Autonomy's own versions 9.2 and 10.3 of KeyView.

According to Autonomy, publishing an advisory would be misleading and cause confusion because the issues already have been fixed; in fact, they believe that this would cause the public to believe that there are more issues in their product than is the case!

Kristensen released the full text of six letters between Secunia and Autonomy's attorney to spell out the claims and counterclaims.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • Thats only to be expected

    That's the proprietary model of doing things, hide, hide, hide away. And then some will claim that they have lesser bugs than the competition! The final sufferers: The consumers.
    nilotpal_c
    • This has nothing to do with proprietary model...

      it has more to do with fear of loosing customers.
      Other proprietary models have no issue with posting security concerns IBM/Microsoft and many others.
      mrOSX
      • So, they disclose all their issues, do they?

        While Microsoft has improved markedly over the years, they still do hide holes. And plenty of them, if some sources are to be believed. Apple also has threatened security researchers. Yes, this has a lot to do with the fear of losing customers and bad press. And the press is also to be blamed for this, whenever a bug is fixed they go all "another critical hole fixed in MS or whatever", blaming them for the hole rather than credit them with coming out with the truth and offering a fix.
        What is needed is a change in the attitude of the press and the lay public: i)Bugs will always be there, deal with it.
        ii) A bug that is patched properly is harmless
        And a change in attitude of the vendors: i) Fixing bugs and reporting them is an essential service to your paying customers
        ii) Hiding bugs, even if silently fixed, may do more harm than good. For an example, see the vulnerability that cropped up in Trend Micro due to not getting proper information on a fixed flaw.
        nilotpal_c
        • Yes but they dont threaten security frims with ...

          legal action(except Apple from time 2 time) , well at least none that I have seen or heard of, maybe you have heard of some. As for playing hide the defect, every company plays hide the bug to some degree when discovered internally.

          My only concern when they(any software company) release a patch and it is for a security flaw and they give some detail, the hackers reverse engineer the fix and take advantage of it before everyone gets the path applied(Companies need time to test before deploy), I dont see any easy way around this issue.
          mrOSX
          • In that way, yes

            I agree with you. I was speaking of the tendency to hide bugs. And this leads some companies to go haywire.
            Your concern about patch management is really well founded, and here I feel that Microsoft's approach is best for a closed source company: Release what patches are going to be applied some days in advance, and release the patches on a fixed day of the month. Gives companies time and latitude to plan. Too sad they fritter away to a great extent their great policy with bundled undisclosed patches. Hackers can always reverse engineer those undisclosed patches, and some companies, just looking at the advisory, may feel they are not affected, and be struck by a (to them) unknown bug.
            nilotpal_c
          • Oops, sorry, I meant ..

            release information about what patches are going to be applied some days in advance
            nilotpal_c
      • Correct

        What we see here is the marketing/public relations approach to business: the object of the game is to make the company look good in order to maximize sales and profits. Bad news is therefore to be suppressed through any means necessary. Reality is only important to the extent that it influences perception.
        John L. Ries
  • In one way, I side with Autonomy

    Let's face it, the cracker community salivates over every reported and fixed vulnerability. They will, in a matter of hours, reverse engineer the exploit and go after the millions who have not patched yet. In this respect, an advisory is like Christmas morning to them, another toy to use. If Secunia and others can inform about the exploit, but provide less information to the cracker community, that would be good.

    Now, I acknowledge that Autonomy is only in this to look good, and the actual exploit is probably secondary to their thought process, but in the way above, their stance could help. I hate seeing detailed blogs about how using this downloadable XLS spreadsheet, with this command string, ...and going into complete reverse engineering analysis is all over the web.

    That's what made the MIME vulnerability such a problem, it was known to three decimal places on thousands of web sites how to exploit it.

    TripleII
    TripleII-21189418044173169409978279405827
    • Agreed

      The consensus seems to be that vendors should be notified of security flaws in their products first and given adequate time to address the issues, but if the vendor won't act in a timely manner, then it is proper to provide the general public with the information necessary to defend themselves and to make informed buying decisions.

      Don't know the details of this case, but both irresponsible disclosures and PR-driven bad news suppression efforts are depressingly common.
      John L. Ries
    • Are you promoting security through obscurity?

      [i]I hate seeing detailed blogs about how using this downloadable XLS spreadsheet, with this command string, ...and going into complete reverse engineering analysis is all over the web.[/i]

      Are you suggesting that the end user is safer if only the talented malware authors know how to exploit vulnerabilities? I would suggest that by the time detailed information about vulnerabilities hit the web, those who are responsible for most of the dangerous exploits have already written and released them. The [b]only[/b] was to be safe from a vulnerability is to mitigate it (through a patch, firewall rule, mail filter, etc.) because if history is any indication, there is no way to effectively hide vulnerabilities from those who make a living at exploiting them.

      [i]That's what made the MIME vulnerability such a problem, it was known to three decimal places on thousands of web sites how to exploit it.[/i]

      Or was it described in detail on thousands of web sites because it was such an exploitable vulnerability? It would be hard to tell what is the cause and what is the effect but again, I have a hard time believing that I'm in any more danger if script kiddies know how to exploit a vulnerability. I'm either safe from a vulnerability because I've mitigated it, or I'm wide open to exploits. Who writes those exploits isn't a factor.

      I'm honestly surprised at your post, knowing a bit of your preference in OSs, so I'm wondering if I misunderstood the position you are taking in your post.
      NonZealot
      • Not at all.

        Get the word out that an exploit exists, publicize that a new version of XYZ exists, but don't post exactly how to exploit it, including example code, etc.

        I do remember a blog entry (might have been zero day) in an email interview, the cracker admitted that posted new exploits was their cue to jump all over it. That isn't to say that they don't find them without the help.

        TripleII
        TripleII-21189418044173169409978279405827
  • RE: Autonomy threatens legal action over vulnerability alert

    Mt2 turk MMO PvP game download online game servers
    <a href="http://www.metin2oyunu.org" title="metin2" target="_blank">metin2</a> - <a href="http://www.metin2oyunu.org/indir" title="metin2 indir" target="_blank">metin2 indir</a> - <a href="http://www.metin2oyunu.org/hileler" title="metin2 hile" target="_blank">metin2 hile</a> - <a href="http://www.metin2oyunu.org/gm-komutlari" title="metin2 gm komutlari" target="_blank">metin2 gm komutlari</a> - <a href="http://www.metin2oyunu.org/category/metin2-at-gorevleri" title="metin2 at gorevleri" target="_blank">metin2 at gorevleri</a>
    MMO online games, game related content turk mt2 pvp servers
    <a href="http://www.metin2pvpserver.net" title="metin 2" target="_blank">metin 2</a> - <a href="http://www.metin2pvpserver.net" title="pvp" target="_blank">pvp</a> - <a href="http://www.metin2pvpserver.net" title="server" target="_blank">server</a> - <a href="http://www.metin2pvpserver.net/knight" title="knight" target="_blank">knight</a>
    Mt2 turk MMO PvP game servers online
    <a href="http://www.metin2pvpserverlar.com" title="metin2 pvp sererler" target="_blank">metin2 pvp sererler</a> - <a href="http://www.metin2pvpserverlar.com" title="pvp serverlar" target="_blank">serverlar</a> - <a href="http://www.metin2pvpserverlar.com" title="pvp serverler" target="_blank">pvp serverler</a> - <a href="http://www.metin2pvpserverlar.com" title="metin2 pvp sererlar" target="_blank">metin2 pvp sererlar</a> - <a href="http://www.metin2pvpserverlar.com/pvp-kenti" title="pvp kenti" target="_blank">pvp kenti</a>

    download http://www.metin2oyunu.org game servers online http://www.metin2pvpserver.net turk mt2 pvp servers http://www.metin2pvpserverlar.com
    <a href="http://www.metin2turkiye.net" title="mt2" target="_blank">mt2</a>
    <a href="http://www.metin2turkiye.net" title="metin2 turk" target="_blank">metin2 turk</a>
    <a href="http://www.metin2turkiye.net" title="mt2 turk" target="_blank">mt2 turk</a>
    <a href="http://www.metin2turkiye.net" title="metin2 tr" target="_blank">metin2 tr</a>
    <a href="http://www.metin2oyunu.org/indir" title="metin 2" target="_blank">Metin 2</a>
    <a href="http://www.metin2oyunu.org/tag/alemt2-kaydol-alemt2-indir" title="alemt2 indir" target="_blank">alemt2 indir</a>
    <a href="http://www.metin2oyunu.org/tag/alemt2-kaydol-alemt2-indir" title="alemt2 kaydol" target="_blank">alemt2 kaydol</a>
    <a href="http://www.metin2oyunu.org/tag/alemt2-kaydol-alemt2-indir" title="alemt2" target="_blank">alemt2</a>
    <a href="http://www.metin2oyunu.org/tag/fancy-mt2-kaydol" title="alemt2 kaydol" target="_blank">fancymt2 kaydol</a>
    <a href="http://www.metin2oyunu.org/tag/fancy-mt2" title="alemt2 kaydol" target="_blank">fancy mt2</a>
    <a href="http://www.metin2oyunu.org/tag/mt2-pvp" title="mt2 pvp" target="_blank">mt2 pvp</a>
    <a href="http://www.metin2oyunu.org/metin2-pvp-serverler" title="metin2 pvp" target="_blank">metin2 pvp</a>
    <a href="http://www.metin2oyunu.org/metin2-pvp-serverler" title="metin2 pvp" target="_blank">metin2 pvp serverler</a>
    <a href="http://www.metin2oyunu.org/metin2-pvp-serverler" title="pvp" target="_blank">pvp</a>
    <a href="http://www.metin2oyunu.org/metin2-pvp-serverler" title="metin2" target="_blank">metin2</a>
    <a href="http://www.metin2oyunu.org/metin2-pvp-serverler" title="serverler" target="_blank">serverler</a>
    <a href="http://www.metin2oyunu.org/metin2-pvp-serverler" title="serverler" target="_blank">serverler</a>

    <a href="http://www.metin2pvpserver.net" title="metin2pvpserver" target="_blank">metin2pvpserver</a>
    <a href="http://www.metin2pvpserver.net" title="metin2 pvp server" target="_blank">metin2 pvp server</a>
    <a href="http://www.metin2pvpserver.net" title="metin2 pvpserver" target="_blank">metin2 pvpserver</a>
    <a href="http://www.metin2pvpserver.net" title="metin2pvp server" target="_blank">metin2pvp server</a>
    <a href="http://www.metin2pvpserver.net" title="metin2pvp" target="_blank">metin2pvp</a>
    <a href="http://www.metin2pvpserver.net" title="metin2 server" target="_blank">metin2 server</a>


    <a href="http://www.metin2pvpserverlar.com" title="metin2pvpserverlar" target="_blank">metin2pvpserverlar</a>
    <a href="http://www.metin2pvpserverlar.com" title="metin2 pvp serverlar" target="_blank">metin2 pvp serverlar</a>
    <a href="http://www.metin2pvpserverlar.com" title="metin2pvp serverlar" target="_blank">metin2pvp serverlar</a>
    <a href="http://www.metin2pvpserverlar.com" title="metin2 serverlar" target="_blank">metin2 serverlar</a>

    <a href="http://www.faceara.com" title="face" target="_blank">face</a>
    <a href="http://www.faceara.com" title="facebook" target="_blank">facebook</a>
    zafer12