FunnySad side of security

Reading through Zero Day Initiative’s (ZDI) advisory: Verity Ultraseek Request Proxying Vulnerability, I noticed that they mentioned that the vendor:

Verity has issued an update to correct this vulnerability. More details can be found at: http://www.ultraseek.com/support/docs/RELNOTES.txt

but going to the release notes you can quickly see that there is no mentioning of this vulnerability, nor the words Security/Vulnerability is ever mentioned in the advisory.

This could mean either of the two, ZDI’s advisory is incorrect, or Ultraseek decided to hide the fact that the vulnerability ever existed, I am assuming the latter.

This is of course saddening, no user of Ultraseek reading the release notes will ever know that the problem existed, unless they look up ZDI’s advisory.

Food for thought…

Share
  • lezter

    I am not very surprised here, this isn’t the first time vendors release patches and hide in them security related fixes. Even Microsoft tends to do it, less now than they used to before.

  • xm

    Full Disclosure is the only real answer

  • Shawn

    you are right FD is no real answer, but hiding the fact that you are vulnerable is simply lying.

  • http://djtechnocrat.blogspot.com/ Technocrat

    Not only is this lying, they are hiding the information from the customers…which need to know how important the upgrade is….

    How can a corporation rate risk of a product when the vendor sliently fixes secuirty issues…

    Ultraseek is not to be trusted…

  • Greg Burns

    You really believe they are intentionally lying?

  • http://www.BeyondSecurity.com Lev

    Nope, they just don’t classify those bugs as security vulnerabilities. Or whatever …