Hi Steven,
even if i do not support the new anti hacker law in germany, i don't see
any important issue in the inconsistence between the n.runs advisory and
the vendors statement in respect of the new law.
The most important message for the average customer, who is not able to
understand the difference between a DoS and a code execution, is to
install latest vendor patches.
And those customers who know the difference between this two kind of
vulnerabilities, are aware of the fact that there is a high risk that a
simple DoS might become a code execution if better exploited, and should
also install latest vendor patches (or put any other preventive measure
in place).
In my mind the most important effect of the law is, that it will be
punished if someone uses or provides tools that are able to
discover/proof the existence of such vulnerabilities... but that's
another story....
Thanks,
Oliver
On Tue, 2007-08-28 at 13:00 -0400, Steven M. Christey wrote:
The n.runs-SA-2007.027 advisory claims code execution through a UPX
file. This claim is inconsistent with the vendor's statement that
it's only a "theoretical" DoS:
http://www.sophos.com/support/knowledgebase/article/28407.html
"A corrupt UPX file causes the virus engine to crash and Sophos
Anti-Virus to return 'unrecoverable error. leading to scanning being
terminated. It should not be a security threat although repeated
files could cause a denial of service."
It is unfortunate that Germany's legal landscape prevents n.runs from
providing conclusive evidence of their claim. This directly affects
Sophos customers who want to know whether it's "just a DoS" or not.
Many in the research community know about n.runs and might believe
their claim, but the typical customer does not know who they are
(which is one reason why I think the Pwnies were a good idea). So,
many customers would be more likely to believe the vendor. If the
n.runs claim is true, then many customers might be less protected than
they would if German laws did not have the chilling effect they are
demonstrating.
It should be noted that in 2000, a veritable Who's Who of computer
security - including Bruce Schneier, Gene Spafford, Matt Bishop, Elias
Levy, Alan Paller, and other well-known security professionals -
published a statement of concern about the Council of Europe draft
treaty on Crime in Cyberspace, which I believe was the predecessor to
the legal changes that have been happening in Germany:
http://homes.cerias.purdue.edu/~spaf/coe/TREATY_LETTER.html
Amongst many other things, this letter said:
"Signatory states passing legislation to implement the treaty may
endanger the security of their computer systems, because computer
users in those countries will not be able to adequately protect
their computer systems... legislation that criminalizes security
software development, distribution, and use is counter to that goal,
as it would adversely impact security practitioners, researchers,
and educators."
If I recall correctly, we were assured by representatives that such an
outcome would not occur.
- Steve
