RE: Correction to latest Colsaire advisories
# This has been re-sent several times in the last week, but for whatever
reason, my email hasn't been getting to the bugtraq list.
> I presume that these are nine of the
> "top 10 content providers".
Actually, no. Our internal testing covered a limited collection of what we
considered the most prevalent enterprise products. When it became clear that
the issues were widespread, we brought NISCC in to coordinate passing out a
set of canned test tools to all the MIME related vendors they could find
(anecdotally, I think this was something like 100+).
We obviously have the results of our own testing (which is where the stats
come from), but the other vendors have been invited to make their own
declaration as to the outcome of the test tools. Needless to say the
statements provided so far are somewhat sparse; the only vendor from our
original test set to make a statement is F-Secure.
> I also note that Microsoft was not listed as a vendor that responded.
> Were their products tested and if so what were the results?
Yes, they were tested. Yes, they have chosen not to make a public statement.
I personally don't know why this may be so. Perhaps you could ask them? ;)
The release model for these vulnerabilities has been the best compromise of
what is a difficult situation. Releasing as individual advisories (or
per-product clumps) was never going to be ideal; both because of the volume
and because earlier public releases expose information about products that
come later in the process. The solution chosen was to pick a date far-off in
the future, to provide the vendors with all the information they needed to
replicate the issues, and then to allow them to make their own public
statements as to compliance. Effectively the same model as the SNMP issues
from a few years ago.
History may prove this not to be ideal, and a better model may be needed.
Regards,
Martin O'Neal