[VIM] [Full-disclosure] [SECUNIA] Vendors still use the "legal" weapon (fwd)

security curmudgeon jericho at attrition.org
Thu Dec 6 21:46:22 UTC 2007

---------- Forwarded message ----------
From: Thomas Kristensen <tk at secunia.com>
To: full-disclosure at lists.grok.org.uk
Date: Thu, 06 Dec 2007 13:43:51 +0100
Subject: [Full-disclosure] [SECUNIA] Vendors still use the "legal" weapon

In these days, one would have believed that vendors have learned the
lesson not to threaten with legal actions to withhold and suppress
significant information about vulnerabilities in their products.

Well, nonetheless, Secunia just received a sequel of letters from
Autonomy, likely not known to many, but it is the software company that
supplies the "Swiss Army Knife" in handling and opening documents in
well known software like IBM Lotus Notes and Symantec Mail Security.

*First a little background information*

The communication between Autonomy and their OEM customers regarding
which versions of their KeyView software that fix given vulnerabilities
has failed again and again. This has been a mess to sort out and Secunia
has had to spent hours verifying what e.g. was fixed by IBM and what was
fixed by Symantec - because apparently the versioning of the KeyView
software is different whether used by Symantec, IBM, or others.

We've managed to figure this out and occasionally this has caused one of
Autonomy's OEM customers to have unpatched publicly known
vulnerabilities in their products. All thanks to Autonomy's apparent
inability to co-ordinate the release of new vulnerability fixes with
their customers.

Now, Autonomy has become fed up with handling all these vulnerabilities
and believe that it is time to control what Secunia writes about.
Autonomy wants Secunia to withhold information about the fact that
vulnerability SA27835 in Keyview Lotus 1-2-3 File Viewer, which has been
fixed by IBM, obviously also affects Autonomy's own versions 9.2 and
10.3 of KeyView.

According to Autonomy, publishing an advisory would be misleading and
cause confusion because the issues already have been fixed; in fact,
they believe that this would cause the public to believe that there are
more issues in their product than is the case!

Now that is an interesting logic.

Sorry Autonomy, writing an advisory that states which vulnerabilities
have been fixed and in which versions is in no way misleading or
confusing - even for "historical" issues.

What is really interesting here is the fact that the Vulnerability
Database services offered by Autonomy's own customers IBM and Symantec
(ISS X-Force and Securityfocus respectively) still (at the time of
publishing) don't show information about the fact that patches are
available for the Lotus 1-2-3 issue - while Secunia, who Autonomy
accuses of publishing misleading information, correctly reflects the
fact that Autonomy offers patches.

However, this doesn't seem to be a concern for Autonomy or perhaps their
legal department also treats their own customers in the same way as
Secunia is treated?

What is misleading and confusing in this whole case is the apparent lack
of co-ordination between Autonomy and Autonomy's OEM customers, the lack
of clear, precise public statements about vulnerabilities and security

If Autonomy wants to avoid "misleading" and "confusing" communication,
then Autonomy ought to start publishing bulletins such as those made by
most other serious and established software vendors (e.g. Microsoft and
their own customers IBM and Symantec) with clear information about the
type of vulnerability, potential attack vectors, potential impacts,
affected versions, and unaffected versions - it's really that simple.

Naturally, Autonomy should also communicate to their own customers (IBM
and Symantec) that patches addressing vulnerabilities are available so
that both their products and their Vulnerability Database services are

*Our response to these claims and accusations*

Despite Autonomy's unsubstantiated legal threats, Secunia will quite
legally continue to do vulnerability research in Autonomy products and
any other products of interest. Naturally, Secunia will also continue to
publish research articles and advisories in an unbiased, balanced,
accurate, and truthful manner as we serve one purpose only: To provide
accurate and reliable Vulnerability Intelligence to our customers and
the Internet in general.

Secunia is in continuous, ongoing, and positive dialogues with most
vendors including large professional organisations like Microsoft, IBM,
Adobe, Symantec, Novell, Apple, and CA. All understand and respect the
need for informing the public about vulnerabilities and prefer to
co-ordinate and synchronise the publication with important Vulnerability
Intelligence sources such as Secunia rather than battling to keep things
secret. It is truly sad to see that certain vendors like Autonomy still
behave like many software vendors did back in the previous millennium.

Kindest regards,

Thomas Kristensen
CTO, Secunia

Copies of all correspondence in this "matter" is available below in
chronological order, enjoy:

The above is also available in our blog:

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

More information about the VIM mailing list