Brian Bilbrey asks who ISS is and whether they’re in bed with Microsoft:
According to their website, ISS is Internet Security Systems. I hadn’t heard of them before this last few weeks. Certainly not one of the big boys, until all this recent press. From their marketing crap on the homepage (http://www.iss.net), it appears they are in the same biz as McAfee and Norton, but at a different tier.
So, let’s start with the simple stuff: ISS has been around for a long, long time as security firms go. I believe they started officially started operating in 1992 or so. Chris Klaus, the founder, dropped out of Georgia Tech after developing the core of what became ISS’ lead product, the RealSecure scanner. ISS had the first useful security scanner for Windows NT, and their products are very widely used out in industry and government. So, the answer to question #1: ISS is for-real, they didn’t just fall off the truck, and they are well-regarded in the security community.
Now, for Brian’s more interesting question: is ISS in bed with Microsoft?
Brian says “I have nothing to back up my speculation, except their involvement and behaviour.” Well, based on that, I suspect it would be impossible to disprove any nefarious Redmond plot. It was certainly rude of ISS to announce the Apache vuln without notifying the Apache group, if in fact that’s what happened– I have no evidence either way. It seems as though ISS did the correct thing in the case of OpenSSH, though: they notified the maintainer, who then released his own notice of the vulnerability. It’s hard to imagine that ISS, which by software-company standards isn’t all that big, could pressure Theo to withhold details of the vulnerability if he wanted to disclose it.
As for the Bindview-Foundstone-@stake-ISS-Microsoft axis, this is old news. *No one* benefits from widespread public disclosure of how to exploit new Windows vulnerabilities: the vendors don’t, the admins running the vulnerable boxes sure don’t, and the community at large (except for script kiddies) doesn’t. That’s all the “alliance” calls for: if you find a bug tell the vendor, and don’t release details of the ‘sploit for 30 days. That surely doesn’t seem unreasonable to me, especially since Open Source supposedly can fix problems so fast that a 30-day window should leave enough time for the dev guys to take 29.5 days of vacation.
Paul's Down-Home Page 