Online security consultancy Spi Dynamics has sparked a new debate over the
responsible handling of vulnerability warnings with the release of an alert
for multiple security holes in the Sun ONE Application Server 7.0.
The Atlanta-based Spi Dynamics
issued the warning without the availability of a patch or workaround from
Sun Microsystems . A spokesperson for Sun confirmed the
existence of the security holes and said one of the bugs has already been
fixed in Update 1 of Application Server 7.0.
“We’re aware of the security issues and have fixes underway. The other
three bugs will
be fixed in Update 2, expected to be available in August,” the spokesperson
told internetnews.com.
However, a JSP source code
disclosure vulnerability which carries a “High” severity rating is still unpatched.
According to Spi Dynamics CEO Brian Cohen, the decision to release the
information was made after several unsuccessful attempts to reach Sun’s
security unit.
“We made numerous efforts to contact Sun and work with them on a fix for
these issued but they never responded. We followed all the necessary
disclosure procedures and notified Sun since March 18. We had no choice but
to go public because, in this case, the vendor was completely unresponsive.
We have a responsibility to the public at large to disclose this
vulnerability,” Cohen said in an interview.
Cohen said it was “unacceptable” for a software vendor the size of Sun
Microsystems to be unresponsive to security warnings from researchers.
Since March 18, Cohen said Sun’s security unit responded once to say the
holes were being patched but they needed time because the developer was on
vacation. Since then, he said numerous attempts to get an update from Sun
were unsuccessful.
The Sun spokesperson denied Cohen’s claim. “Spi was notified in previous
communications of Sun’s plan to fix these bugs,” she said.
Meanwhile, the serious JSP vulnerability won’t be fixed until Sun issues
Update 2 for the product in August. However, the spokesperson said Sun
would make the fix available upon request prior to general availability of
the update. “Customers can contact Sun through their normal support channels
to obtain the fix,” she said.
The latest controversy comes on the heels of a public
spat between the Apache Software Foundation (ASF) and the Internet
Security Systems (ISS) over the way a warning about a security hole in the
Apache HTTP Server was handled.
In that case, an easy-to-use exploit for the hole was circulating on the
Internet before Apache got a chance to plug the vulnerability. Apache
officials were upset they weren’t first notified before the ISS issued its
advisory, a normal procedure when bugs are detected. Since then, Apache has
taken a proactive
approach to issuing updates to avoid embarrassment.
Gartner security analyst John Pescatore rapped Sun for being notoriously
slow to fix known holes in its products. “In this day and age, if a
consultant finds a vulnerability and notifies the vendor, two weeks is
reasonable time to make a patch available,” Pescatore said. In some cases,
vendors can request more time to get a fix ready but, if its drags on for
more than a month, Pescatore said the researcher has no option but to
release the information.
“Anything more than a month is just dragging things on too long and
setting up a ‘Day Zero’ situation,” he declared, noting that Spi Dynamics
has a history of being very responsible about reporting vulnerabilities.
“If you go back a number of years, before Solaris, when Sun had the most
popular operating system for servers connected to the Internet, Sun would go
six months without fixing a vulnerability. Back then, no one publicized
these things so it was not a huge deal. But, in this day and age, that’s not
going to happen,” Pescatore said.
He said the latest controversy underscores the need for an acceptable
protocol for cooperation between independent researchers and software
vendors. “In general, the communication has worked well but there are times
when it could be improved.”
Back in 2002, Pescatore said Microsoft tried to get a
group of software vendors together to define a protocol via an Internet RFC
but that proposal got bogged down because too many consultants mistrusted
Microsoft.
There is a feeling that pressure for independent researchers could be a
good thing. “If the vendors didn’t have this pressure from the
consultancies, then they just wait too long to come out with a patch. I
think the tension has its benefits,” Pescatore declared.
Huawei’s AI Update: Things Are Moving Faster Than We Think
FEATURE | By Rob Enderle,
December 04, 2020
Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 18, 2020
Key Trends in Chatbots and RPA
FEATURE | By Guest Author,
November 10, 2020
FEATURE | By Samuel Greengard,
November 05, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 02, 2020
How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 29, 2020
Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 23, 2020
The Super Moderator, or How IBM Project Debater Could Save Social Media
FEATURE | By Rob Enderle,
October 16, 2020
FEATURE | By Cynthia Harvey,
October 07, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
October 05, 2020
CIOs Discuss the Promise of AI and Data Science
FEATURE | By Guest Author,
September 25, 2020
Microsoft Is Building An AI Product That Could Predict The Future
FEATURE | By Rob Enderle,
September 25, 2020
Top 10 Machine Learning Companies 2020
FEATURE | By Cynthia Harvey,
September 22, 2020
NVIDIA and ARM: Massively Changing The AI Landscape
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
September 18, 2020
Continuous Intelligence: Expert Discussion [Video and Podcast]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 14, 2020
Artificial Intelligence: Governance and Ethics [Video]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 13, 2020
IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI
FEATURE | By Rob Enderle,
September 11, 2020
Artificial Intelligence: Perception vs. Reality
FEATURE | By James Maguire,
September 09, 2020
Anticipating The Coming Wave Of AI Enhanced PCs
FEATURE | By Rob Enderle,
September 05, 2020
The Critical Nature Of IBM’s NLP (Natural Language Processing) Effort
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
August 14, 2020
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Advertise with TechnologyAdvice on Datamation and our other data and technology-focused platforms.
Advertise with Us
Property of TechnologyAdvice.
© 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this
site are from companies from which TechnologyAdvice receives
compensation. This compensation may impact how and where products
appear on this site including, for example, the order in which
they appear. TechnologyAdvice does not include all companies
or all types of products available in the marketplace.