Posted on 16-2-2002
Why
your vendor has no SNMP fix
By Thomas C Greene in Washington post to www.theregister.co.uk
Ever wonder why only a handful of vendors had a fix ready for
the myriad
SNMP vulnerabilities recently reported? The vulns were discovered
nine
months ago, after all.
We picked up a tip from one of our sources Thursday. It appears
that the
FBI's NIPC pressured the White House, which in turn pressured
CERT, to
break the news two weeks sooner than originally planned. NIPC
decided that
the vast smorgasbord of holes was a threat to crucial infrastructure,
and
that forewarned was forearmed. The reasoning here is that a
simple
workaround beats blithe ignorance hands down. Most vendors thought
they had
an additional two weeks to tweak their patches, and that's why
so few are
available at the moment.
Interesting here is that NIPC's decision flies in the face of
Microsoft's
neurotic insistence that vulnerabilities not be disclosed until
an
'official' patch can be cobbled together. This may be the best
criticism
yet of MS' security through obscurity regime. We note that MS
was delighted
to leave millions of Passport users vulnerable to exploitation
while they
worked on a patch for a disastrous hole. It was only when their
trousers
were pulled down by security researcher Marc Slemko that they
disabled the
'feature' which left their foolishly trusting customers open
to attack.
Apparently Uncle Sam thinks this approach to network security
is bollocks.
We think it is too.
|