Printer Friendly
The Free Library
22,728,960 articles and books

Check Point Questions ISS Practices After Bug Errors.



By Kevin Murphy There are many people named Kevin Murphy:
  • Kevin Murphy (actor), an American actor, author and puppeteer
  • Kevin Murphy (airport operations), Director of Operations, JFK
  • Kevin Murphy (football_player), Former NFL linebacker (1986-93)
 

Check Point Software Technologies Ltd yesterday expressed concern about Internet Security ''This article or section is being rewritten at

Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software.
 Systems Inc's vulnerability research, after two Check Point vulnerabilities ISS ISS

See Institutional Shareholder Services (ISS).
 found turned out to be not as serious as publicized pub·li·cize  
tr.v. pub·li·cized, pub·li·ciz·ing, pub·li·ciz·es
To give publicity to.

Adj. 1. publicized - made known; especially made widely known
publicised
.

A critical vulnerability originally thought to affect almost a third of Check Point's VPN-1 customers is now believed to affect only a single-digit percentage. Check Point discovered it had already fixed the problem, in two service packs released in 2002.

Check Point said that, contrary to ISS's original alert, the VPN-1 vulnerability was fixed in Next Generation Feature Pack 2 and v4.1 Service Pack 6, which were released to customers in June and April of 2002 respectively.

"We made the assumption that ISS had done their due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. ," Check Point product marketing manager Mark Kraynak said. "The fact that they didn't test 4.1 Service Pack 6 is a problem. I wouldn't begin to speculate why they didn't do that."

Kraynak added that after Check Point discovered the problem was not as serious as it first thought it alerted ISS, which requested a copy of the SP6 code to test, which Check Point provided. ISS confirmed it was not vulnerable.

Chris Rouland, VP of ISS's X-Force vulnerability research team said that SP6 was not available during ISS's initial vulnerability research. "SP6 was not available for download as it was listed as end-of-life," an ISS spokesperson said in a statement.

"Basically we were incorrect about one out of eight service packs," Rouland said, adding that it is the first time the company has made such an error. SP1 though 5 for version 4.1 and SP0 and 1 for NG tested as vulnerable.

SP6 is the most-installed version of the older software, however. Kraynak said over 90% of customers are using protected versions of the software and, of the others, "anecdotally, it seems almost all of those customers are not using VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. " and would not be affected.

ISS updated its advisories over the weekend to reflect the new information, but did not draw attention to the changes or change the dates on the advisories, which are prominently positioned on the company's web site.

The VPN-1 vulnerability is serious, however. It can be exploited to provide attackers with full root access to the firewall, letting them configure it to allow further network breaches, ISS discovered. Check Point advises affected customers to upgrade or call tech support for a fix.

Check Point also says ISS, in a second alert published Friday, mischaracterized the extent of another critical vulnerability it had found, this time in the HTTP HTTP
 in full HyperText Transfer Protocol

Standard application-level protocol used for exchanging files on the World Wide Web. HTTP runs on top of the TCP/IP protocol.
 inspection features in Check Point's latest NG with Application Intelligence firewalls.

Check Point said that ISS reported that the root-compromise vulnerability, which a patch has been issued for, affected all aspects of HTTP inspection, whereas it actually only affects a component of that feature known as HTTP Security Server.

Check Point's NG with Application Intelligence deep-inspects packets using routines in the kernel and in separate software proxies. Only the HTTP proxy A proxy server that specializes in HTML (Web page) transactions. See proxy server.  component, which Kraynak said few customers have turned on, is vulnerable.

ISS said it had notified Check Point about the vulnerabilities on February 2 and both ISS and Check Point chose to issue security advisories two days later. This is an unusually fast turnaround for any vendor or researcher.

Kraynak said that Check Point publicized the issues quickly because it believed ISS had done a thorough test, and that it had started receiving inquiries from mutual customers, some of which receive advance vulnerability warnings.

ISS's Rouland characterized the incident as a breakdown of communications between the two companies.

ISS has a responsible disclosure policy of not publicizing pub·li·cize  
tr.v. pub·li·cized, pub·li·ciz·ing, pub·li·ciz·es
To give publicity to.

Noun 1. publicizing - the business of drawing public attention to goods and services
advertising
 vulnerabilities until the affected vendor issues a fix or 30 days elapse e·lapse  
intr.v. e·lapsed, e·laps·ing, e·laps·es
To slip by; pass: Weeks elapsed before we could start renovating.

n.
 without response. It does, however, send advisories to its X-Force Threat Analysis Service customers under non-disclosure agreement A non-disclosure agreement (NDA), also called a confidential disclosure agreement (CDA), confidentiality agreement or secrecy agreement, is a legal contract between at least two parties that outlines confidential materials or knowledge the parties  one business day after the vendor is notified.

ISS has its roots in the intrusion detection system This article is about the computing term. For other uses, see Burglar alarm.

An intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet.
 space, but has made moves over the last twelve months to enter the perimeter security and firewall market, where Check Point is, by some estimates, the market leader.
COPYRIGHT 2004 Datamonitor
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2004 Gale, Cengage Learning. All rights reserved.

 Reader Opinion

Title:

Comment:



 

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Internet Security Systems Inc
Publication:Computergram International
Geographic Code:1USA
Date:Feb 11, 2004
Words:680
Previous Article:Cognizant Reports 66% Profit Growth.
Next Article:NAI Releases Software to Check Microsoft Patches.
Topics:



Related Articles
ISS Buys Nextel to Boost Its Managed Security Services.
ISS UNVEILS INTRUSION DETECTION SYSTEM MEETING EXPORT REGS.
Pioneering Security.
NEW NOKIA IP710 SECURITY PLATFORM SETS THE MARK FOR MID-RANGE SECURITY SYSTEMS.
Windows of opportunity.
ISS manages growth in hard times.
CA Launches Mission Control for Enterprise Security.
Cisco Uncovers IOS Vulnerability.
Internet risk impact report Q2 2003.
IBM report: stealthy, targeted online attacks continue to grow in 2007.

Terms of use | Copyright © 2014 Farlex, Inc. | Feedback | For webmasters