Thus spake "James Baldwin" <[EMAIL PROTECTED]>
Moreover, the fix for this was already released and you have not been
able to download a vulnerable version of the software for months however
there was no indication from Cisco regarding the severity of the required
upgrade. That is to say, they knew in April that arbitrary code execution
was possible on routers, they had it fixed by May, and we're hearing
about it now and if Cisco had its way we might still not be hearing about
it.
Cisco's policy, as best I can tell, is that they patch security holes
immediately but delay notification until either (a) six months pass, or (b)
an exploit is seen in the wild. The former is intended to give customers
ample time to upgrade to patched versions (often without their knowledge)
without tipping their hand to the "bad guys". However, a CERT advisory is
prepared and ready for immediate distribution if the latter occurs.
How many network engineers knew there was a potential problem of
this magnitude at the beginning of May? If, knock on wood, someone
had released this code into the wild then how many networks who
have been vulnerable despite the availability of a fix?
There are network engineers that knew, but they couldn't admit it due to
NDAs. This is one of the benefits of buying "high touch" support
contracts -- and Cisco is not alone in that model.
S
Stephen Sprunk "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov