Since when did you start working for IPSwitch? Your comment is the biggest load of typical, corporate, pass-the-buck garbage I've heard in quite a while. If there is a vulnerability in iMail / ICS, it is IPSwitch's responsabilty to test previous versions of their software product, and at the very least provide customers with accurate information regarding which versions are vulnerable.
Instead of even publicly announcing that the was a buffer overflow exploit found for their IMAP engine, they try to quietly release this this fix as part of 2006.03. Even the announcement posted here stated only this about this remote buffer overflow: "In addition, we have fixed a lot of reported defects including a vulnerability issue." I'm sorry, but that level of disclosure is pathetic. They are clearly trying to hush up this issue. Furthermore, where IPSwitch does actually acknowledge the issue, they do so incorrectly. IPSwitch states the vulnerability only leads to the service crashing - "IMAP: Corrected a vulnerability issue where a properly crafted Fetch command causes IMAP to crash with a buffer overflow (disclosed by TippingPoint, a division of 3Com). " http://www.ipswitch.com/support/ics/updates/ics200603prem.asp, when the exploit is much more severe - "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Ipswitch Collaboration Suite" http://www.zerodayinitiative.com/advisories/ZDI-06-003.html The vulnerability disclosure practices of IPSwitch are pathetic. "Seek, and ye shall find!" -Jay -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Tuesday, March 14, 2006 1:39 PM To: Imail_Forum@list.ipswitch.com Subject: RE: [IMail Forum] Ipswitch Collaboration Suite Code Execution Vulnerability time to upgrade to .03 if you are running 2006 The information on the extent of the issue on ANY version is disclosed in these ways by the entity finding the vulnerability. They are the ones that are testing against versions. John T eServices For You "Seek, and ye shall find!" > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Imail_Forum- > [EMAIL PROTECTED] On Behalf Of Jay Sudowski - Handy Networks > LLC > Sent: Tuesday, March 14, 2006 10:07 AM > To: Imail_Forum@list.ipswitch.com > Subject: RE: [IMail Forum] Ipswitch Collaboration Suite Code Execution Vulnerability > time to upgrade to .03 if you are running 2006 > > In typical IPSwitch fashion, no information is provided about the > extent of this issue on previous versions of iMail (8.x, 7.x, etc). > Are these versions vulnerable? > > -Jay > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Matti Haack > Sent: Tuesday, March 14, 2006 6:49 AM > To: Imail_Forum@list.ipswitch.com > Subject: [IMail Forum] Ipswitch Collaboration Suite Code Execution > Vulnerability time to upgrade to .03 if you are running 2006 > > "Vulnerability Details: > > This vulnerability allows remote attackers to execute arbitrary code > on vulnerable installations of Ipswitch Collaboration Suite. > Authentication is required to exploit this vulnerability. This > specific flaw exists within the IMAP daemon. A lack of bounds checking > during the parsing of long arguments to the FETCH verb can result in > an exploitable buffer overflow." > http://www.zerodayinitiative.com/advisories/ZDI-06-003.html > > http://www.ipswitch.com/support/ics/updates/ics200603prem.asp > > Greetings > Matti > > > > - > Matti Haack - Hit Haack IT Service Gmbh Poltlbauer Weg 4, D-94036 > Passau > +49 851 50477-22 Fax: +49 851 50477-29 > http://www.haack-it.de > > > > Dieses Dokument ist ausschliesslich fuer den Adressaten bestimmt. > Jegliche Art von Reproduktion, Verbreitung, Vervielfaeltigung, > Modifikation, Verteilung und/oder Publikation dieser E-Mail-Nachricht > ist untersagt, soweit dies nicht ausdruecklich genehmigt wurde. > Jegliche Haftung fur Ansprueche, die aufgrund der Kommunikation per > E-Mail begruendet werden koennten, ist ausgeschlossen, soweit der > Haftungsausschluss gesetzlich zulaessig ist. > > -- Ausgehende E-Mail wurde auf Viren gescannt -- To Unsubscribe: > http://www.ipswitch.com/support/mailing-lists.html > List Archive: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
