[ISN] Cisco: There is no fixed software for this issue.

InfoSec News isn at c4i.org
Mon Feb 7 08:30:44 EST 2005

Forwarded from: security curmudgeon <jericho at attrition.org>


Cisco: There is no fixed software for this issue.
Fri Feb 4 01:55:02 EST 2005

I think it is time to give up on Cisco.

Most professionals in the security industry have long since given up
on vendors such as Microsoft and resigned ourselves to the fact that
they don't understand security, and that for all the marketing and PR
these companies never will.  Year after year, we see stupid and
trivial security bugs pop up in their software. Often times these are
the same vulnerabilities reborn with a new product, or the same class
of vulnerabilities creeping back into the code due to poor programming
practices. In other cases, vulnerabilities are found and supposedly
patched by vendors. Days or weeks later, it is discovered that the
patch does not fully mitigate the original problem and can be bypassed
and the software is still vulnerable.

Yesterday, Cisco Systems, Inc. posted a new security advisory
announcing a vulnerability in one of their product lines. This is not
new for Cisco by any means as they have releaesed 155 security
advisories dating back to June 1, 1995. Why is this one different? The
proverbial straw that broke the camel's back perhaps. The issue is not
that just another vulnerability affects their products, nor it is the
amount of issues Cisco has posted over the years. While depressing to
anyone responsible for the security of one of their devices, it is
mostly manageable. Cisco has been fairly good about addressing
problems in the past, providing patches and solid workarounds and
eventually selling new versions of their software that aren't
affected. Until now.

There are two issues with the latest advisory covering a vulnerability
in Cisco IP/VC Products. Either issue unto themselves should have
Cisco customers up in arms demanding better products and better
service. As long as companies continue to buy and support
irresponsible and unethical vendors, they will continue to deliver
over-priced insecure software.


More information about the ISN mailing list