Security News > 2010 > January > Firm to Release Database & Web Server 0days

http://www.krebsonsecurity.com/2010/01/firm-to-release-database-web-server-0days/ By Brian Krebs krebsonsecurity.com January 11th, 2010 January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products. Evgeny Legerov, founder of Moscow based Intevydis, said he intends to publish the information between Jan 11 and Feb 1. The final list of vulnerabilities to be released is still in flux, Legerov said, but it is likely to include vulnerabilities (and in some cases working exploits) in: - Web servers such as Zeus Web Server, Sun Web Server (pre-authentication buffer overflows); - Databases, including Mysql (buffer overflows), IBM DB2 (local root vulnerability), Lotus Domino and Informix - Directory servers, such as Novell eDirectory, Sun Directory and Tivoli Directory. In an interview with krebsonsecurity.com, Legerov said his position on vulnerability disclosure has evolved over the years. "After working with the vendors long enough, we've come to conclusion that, to put it simply, it is a waste of time" Now, we do not contact with vendors and do not support so-called 'responsible disclosure' policy," Legerov said. For example, he said, "there will be published two years old Realplayer vulnerability soon, which we handled in a responsible way [and] contacted with a vendor." [...] ________________________________________ Did a friend send you this? From now on, be the first to find out! Subscribe to InfoSec News http://www.infosecnews.org

News URL

http://www.krebsonsecurity.com/2010/01/firm-to-release-database-web-server-0days/