Despite patch, today's systems still vulnerable to 2002 flaw

For the last week, I've written that Dan Kaminsky undertook unprecedented action in coordinating a variety of vendors in secret over the last six months. Ari Takanen, co-founder and chief technology officer of Codenomicon, wrote to challenge that notion.

In an e-mail on Thursday, Takanen cited his work on a Simple Network Management Protocol version 1 (SNMPv1) flaw back in 2002 as an example. Like Domain Name System, SNMP is a fundamental element of the Internet.

I wrote: "There have been other multiparty patch releases, but never has there been one on such a massive scale. It took someone with the gravitas and reputation of Kaminsky to pull together the affected parties."

Takanen writes: "Well, actually that is not true. Our SNMP case was secret for nine months after reporting it to relevant vendors, and as far as I know it involved more than 100 vendors and other organizations (1,000+ people). We saw all possible attempts to disclose it, but even public disclosure lists appreciated the stand that CERT-US chose to take."

CERT-US released its advisory on February 12, 2002, after word of the flaw leaked.

Takanen goes on to say Codenomicon provides a commercial tool to defect the SNMPv1 flaw as part of its quality assessment process.

The funny thing is six years later, the tool still finds active systems vulnerable.

Takanen, who advocates nonpublic disclosure of security flaws, said, "This just proves that reporting individual bugs for fame and fortune does not motivate the vendors to improve their quality assurance processes."