Independent Third-Party Findings Support AutoProf Analysis of ScriptLogic Software Vulnerabilities.Business Editors/High-Tech Writers PORTSMOUTH, N.H.--(BUSINESS WIRE)--May 23, 2003 CERT/CC (Computer Emergency Response Team/Coordination Center) Part of the Software Engineering Institute of Carnegie Mellon University, CERT/CC is a major reporting center for Internet security problems. Vulnerability Notes Confirm the Security Flaws AutoProf Reported in July, 2002 In July 2002, AutoProf published a whitepaper entitled "A Comparison of Profile Maker 7 & ScriptLogic 4: Architecture, Security & Selected Features" (http://www.autoprof.com/pdf/PM_Scriptlogic_Comparison.pdf). AutoProf's whitepaper asserted that ScriptLogic's version 4.0 and 4.01 software compromised the security of networks running Microsoft's Windows operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. . AutoProf privately notified ScriptLogic of its findings prior to publishing the whitepaper, at which time ScriptLogic threatened to sue AutoProf. One month later, AutoProf published the whitepaper, and shortly thereafter, ScriptLogic filed suit against AutoProf for making allegedly false and misleading statements about the security of ScriptLogic's software. AutoProf has vigorously denied ScriptLogic's charges. ScriptLogic's continuing lawsuit questions the accuracy of AutoProf's statements regarding three security vulnerabilities in ScriptLogic software. However, recently published findings by the CERT/CC, a widely recognized authority on network and software vulnerabilities (www.cert.org), clearly support the existence of the same vulnerabilities in ScriptLogic version 4.01 first reported by AutoProf. The following CERT/CC Vulnerability Notes are available for review online: -- "ScriptLogic RunAdmin service can allow users to gain administrative access" (http://www.kb.cert.org/vuls/id/231705) -- "ScriptLogic RPC (Remote Procedure Call) A programming interface that allows one program to use the services of another program in a remote machine. The calling program sends a message and data to the remote program, which is executed, and results are passed back to the calling service allows local users to modify arbitrary registry settings" (http://www.kb.cert.org/vuls/id/609137) -- "ScriptLogic sets insecure permissions on 'LOGS$' share" (http://www.kb.cert.org/vuls/id/813737) The CERT/CC is part of the Networked System Survivability sur·viv·a·ble adj. 1. Capable of surviving: survivable organisms in a hostile environment. 2. That can be survived: a survivable, but very serious, illness. Program located at the Software Engineering Institute ("SEI"), a research and development center and non-academic unit of Carnegie Mellon University Carnegie Mellon University, at Pittsburgh, Pa.; est. 1967 through the merger of the Carnegie Institute of Technology (founded 1900, opened 1905) and the Mellon Institute of Industrial Research (founded 1913). . The CERT/CC was founded as the result of the Defense Advanced Research Projects Agency Defense Advanced Research Projects Agency (DARPA), U.S. government agency administered by the Department of Defense (see Defense, United States Department of). directive to the SEI to establish a center to coordinate communication among experts during security emergencies and to help prevent future security incidents. The U.S. Department of Defense and a number of Federal civil agencies provide primary funding for the CERT/CC. In the area of survivable sur·viv·a·ble adj. 1. Capable of surviving: survivable organisms in a hostile environment. 2. That can be survived: a survivable, but very serious, illness. network technology, the CERT/CC concentrates on the technical basis for identifying and preventing security flaws and for preserving essential services if a system is penetrated and compromised. Its work involves handling computer security issues, incidents and vulnerabilities, publishing security alerts, researching long-term changes in networked systems, and developing information and training relating to relating to relate prep → concernant relating to relate prep → bezüglich +gen, mit Bezug auf +acc improved site security. News of the ScriptLogic lawsuit was reported in a Government Computer News article by columnist William Jackson William Jackson may refer to: Government:
About AutoProf AutoProf develops and markets intuitive desktop management software worldwide through a network of value-added resellers A value-added reseller (VAR) is a company that adds some feature(s) to an existing product(s), then resells it (usually to end-users) as an integrated product or complete "turn-key" solution. and distributors. Since the introduction of its first product in 1997, AutoProf has sold its software to over 2,500 customers worldwide, including Airbus, Alliance Capital, Standard & Poor's, and PepsiCo. For more information on this Portsmouth, NH-based company, visit www.AutoProf.com or call 603.433.5885. |
|
||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion