Select Page

 
MoRB

Ok, I made up the name “MoRB” and our analyst Dimiter, who is from Bulgaria, took a stab at the translation.

Russian security firm Intevydis has said it will release Jan. 11-Feb. 1 previously undocumented vulnerabilities in popular commercial software products including:

— IBM DB2 (local root vulnerability)
— iMysql (buffer overflows)
— Lotus Domino and Informix databases
— Novell eDirectory
— Sun Directory
— Sun Web Server (pre-authentication buffer overflows)
— Tivoli Directory
— Zeus Web Server

Evgeny Legerov, founder of the Moscow firm, told prominent security blogger Brian Krebs that responsible disclosure has, for him, proven to be a waste of time. He said one of the vulnerabilities he will release is be a bug in Realplayer that he told the vendor about two years ago.

“Month of _____ bugs” has been a controversial gimmick that a number of security researchers have used in the last few years. It involves the release of information about software vulnerabilities before they are fixed in order to publicize the slow pace that vendors usually follow patching bugs that have been brought to their attention.

Generally, researchers follow the dictates of “responsible disclosure,” which is to inform the vendor of the security flaws in their software and wait a “reasonable” period of time before publicizing the details.

Brian Krebs piece here.

Tom Kelchner