Re: Microsoft, CNET, BUGTRAQ and the 'land' attack

Aleph One (aleph1@DFW.NET)
Mon, 08 Dec 1997 17:28:33 -0600

On Sun, 7 Dec 1997, Geoffrey King wrote:

> The last issue of the RISKS digest [19.48] contained a report
> passed on from the CNET news service about the 'land' attack. The
> CNET report which appears at
> <> carries
> a date of 4 Dec 1997 at 5pm PST.
> More seriously, the article also appears some 14 days after the
> first posting (including exploit code) of the 'land' vulnerability
> to the BUGTRAQ list. But todays "news" does coincide quite nicely
> with the announcement that Microsoft would release patches.

A small correction. As much as I like conspiracy theories the author of
the report actually did not know that Microsoft would release the fixes
the same day. I actually contacted him after reading the article to
comment on it and point out the fixes from Microsoft. Only after that
exchange of messages did he add information about them to the news report.
Also we should atleast be happy that CNET published anything on the
subject. They could have as well not published the article since Wired got
this one first. That would have meant less people informed about about the

> And
> please also note that the statement of "Jason Grams, a product
> manager at Microsoft", that "[o]bviously, this isn't a
> Microsoft-only problem, it's a pretty big problem" is not entirely
> accurate. There are a number of operating systems which are not
> vulnerable to this attack, including current releases of Linux,
> Solaris, Irix, OS/2 and others ... other vendors, including CISCO,
> acted immediately to warn of and patch vulnerabilities in their
> products.

As much as I can dislike Microsoft at certain times the above statement
seems very accurate. "this isn't a Microsoft-only problem" means
"operating systems other than Microsoft's are affected". It does not mean
"it affects everyone".

[ snip ]

Every company will attempt to put the best spin they can to security
vulnerabilities. Indeed is refreshing to see a company like Cisco come
out with timely and informative security advisories, but it seem like your
expectation are to high for the realities of the marketplace. Guess I have
just become to cynical.

I am killing this thread.

> Geoff <>

Aleph One /
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01