Rick Leske wrote: > I would personally still bank on the fact that IPSwitch knows their > product, IMail. If there is a genuine concern with buffer overflows, > etc., then I would think that IPSwitch would be more apt at providing a > solution for any protocol 'holes or problems' - no matter whom we might > place guilt upon.
I'm certainly with you on Ipswitch knowing their product(s) but the HTTP protocol and any alleged holes therein are not theirs alone but rather a public-domain issue. I'm sure that the folks at Ipswitch are concerned with this whole thing because it may impact the Web messaging portion of IMail and they are as likely as any other vendor to find a way to plug security holes. > If anyone discovers problems, concerns, etc., with IMail then my first > place to seek help would be via IPSwitch. I also would not personally > post any information, good or bad, concerning any possbile security > flaws, exploits, etc. Again, I agree from a purely "IMail" point of view; I too would look to Ipswitch for implementing a fix in Imail's Web messaging, even though the vulnerability goes beyond their product. (An example of a successful exercise would be to have IMail hardened against this exploit while your IIS might remain vulnerable pending MS acting on it -- just to illustrate.) As for reporting "possible security flaws, exploits, etc.", this is best done by first contacting the vendor privately, as I'm sure we agree. But there is some merit in [carefully] warning the community at large, especially if the exploit is not product-specific (think of viruses, for instance). It's all in the manner we do it and I must say that postings about this issue on this list have been impeccable, in my opinion. Guy Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
