Online security consultancy Spi Dynamics has sparked a new debate over the
responsible handling of vulnerability warnings with the release of an alert
for multiple security holes in the Sun ONE Application Server 7.0.
The Atlanta-based Spi Dynamics
issued the warning without the availability of a patch or workaround from
. A spokesperson for Sun confirmed the
existence of the security holes and said one of the bugs has already been
fixed in Update 1 of Application Server 7.0.
“We’re aware of the security issues and have fixes underway. The other
three bugs will
be fixed in Update 2, expected to be available in August,” the spokesperson
However, a JSP source code
disclosure vulnerability which carries a “High” severity rating is still unpatched.
According to Spi Dynamics CEO Brian Cohen, the decision to release the
information was made after several unsuccessful attempts to reach Sun’s
“We made numerous efforts to contact Sun and work with them on a fix for
these issued but they never responded. We followed all the necessary
disclosure procedures and notified Sun since March 18. We had no choice but
to go public because, in this case, the vendor was completely unresponsive.
We have a responsibility to the public at large to disclose this
vulnerability,” Cohen said in an interview.
Cohen said it was “unacceptable” for a software vendor the size of Sun
Microsystems to be unresponsive to security warnings from researchers.
Since March 18, Cohen said Sun’s security unit responded once to say the
holes were being patched but they needed time because the developer was on
vacation. Since then, he said numerous attempts to get an update from Sun
The Sun spokesperson denied Cohen’s claim. “Spi was notified in previous
communications of Sun’s plan to fix these bugs,” she said.
Meanwhile, the serious JSP vulnerability won’t be fixed until Sun issues
Update 2 for the product in August. However, the spokesperson said Sun
would make the fix available upon request prior to general availability of
the update. “Customers can contact Sun through their normal support channels
to obtain the fix,” she said.
The latest controversy comes on the heels of a public
spat between the Apache Software Foundation (ASF) and the Internet
Security Systems (ISS) over the way a warning about a security hole in the
Apache HTTP Server was handled.
In that case, an easy-to-use exploit for the hole was circulating on the
Internet before Apache got a chance to plug the vulnerability. Apache
officials were upset they weren’t first notified before the ISS issued its
advisory, a normal procedure when bugs are detected. Since then, Apache has
taken a proactive
approach to issuing updates to avoid embarrassment.
Gartner security analyst John Pescatore rapped Sun for being notoriously
slow to fix known holes in its products. “In this day and age, if a
consultant finds a vulnerability and notifies the vendor, two weeks is
reasonable time to make a patch available,” Pescatore said. In some cases,
vendors can request more time to get a fix ready but, if its drags on for
more than a month, Pescatore said the researcher has no option but to
release the information.
“Anything more than a month is just dragging things on too long and
setting up a ‘Day Zero’ situation,” he declared, noting that Spi Dynamics
has a history of being very responsible about reporting vulnerabilities.
“If you go back a number of years, before Solaris, when Sun had the most
popular operating system for servers connected to the Internet, Sun would go
six months without fixing a vulnerability. Back then, no one publicized
these things so it was not a huge deal. But, in this day and age, that’s not
going to happen,” Pescatore said.
He said the latest controversy underscores the need for an acceptable
protocol for cooperation between independent researchers and software
vendors. “In general, the communication has worked well but there are times
when it could be improved.”
Back in 2002, Pescatore said Microsoft
tried to get a
group of software vendors together to define a protocol via an Internet RFC
but that proposal got bogged down because too many consultants mistrusted
There is a feeling that pressure for independent researchers could be a
good thing. “If the vendors didn’t have this pressure from the
consultancies, then they just wait too long to come out with a patch. I
think the tension has its benefits,” Pescatore declared.