Posted on 16-2-2002

Why your vendor has no SNMP fix
By Thomas C Greene in Washington post to www.theregister.co.uk

Ever wonder why only a handful of vendors had a fix ready for the myriad
SNMP vulnerabilities recently reported? The vulns were discovered nine
months ago, after all.

We picked up a tip from one of our sources Thursday. It appears that the
FBI's NIPC pressured the White House, which in turn pressured CERT, to
break the news two weeks sooner than originally planned. NIPC decided that
the vast smorgasbord of holes was a threat to crucial infrastructure, and
that forewarned was forearmed. The reasoning here is that a simple
workaround beats blithe ignorance hands down. Most vendors thought they had
an additional two weeks to tweak their patches, and that's why so few are
available at the moment.

Interesting here is that NIPC's decision flies in the face of Microsoft's
neurotic insistence that vulnerabilities not be disclosed until an
'official' patch can be cobbled together. This may be the best criticism
yet of MS' security through obscurity regime. We note that MS was delighted
to leave millions of Passport users vulnerable to exploitation while they
worked on a patch for a disastrous hole. It was only when their trousers
were pulled down by security researcher Marc Slemko that they disabled the
'feature' which left their foolishly trusting customers open to attack.

Apparently Uncle Sam thinks this approach to network security is bollocks.
We think it is too.