Firm To Release Database, Web Server 0-Days

krebsonsecurity writes "January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products, including MySQL, Tivoli, IBM DB2, Sun Directory, and a host of others, writes krebsonsecurity.com. From the blog: 'After working with the vendors long enough, we've come to conclusion that, to put it simply, it is a waste of time. Now, we do not contact with vendors and do not support so-called "responsible disclosure" policy,' Legerov said."

Re:What's up with the confusing article title?

[gregarican]

Perhaps the firm is issuing a malicious DROP DATABASE T-SQL command, escaping through some unsanitized web query...

Is it just me?

[gregarican]

Or is the English language dying a painful death on /. as time passes. The past day's article summaries and headlines are a blend between Yoda backing off the chronic and the broken English that some toy assembly manuals convey.

Seriously, it took me three passes at reading this article headline to understand what the hell it meant. Maybe that's part of the entertainment value that I'm missing???

Re:Is it just me?

[Arancaytar]

You got stuck on the DROP DATABASE, didn't you. Happens to a lot of db developers. :P

Re:What's up with the confusing article title?

[Arancaytar]

We're lucky Slashdot properly escapes its SQL input. Aa headline like "Firm to 'DROP DATABASE `web_server`" might otherwise result in havoc. :P

Re:What's up with the confusing article title?

[gregarican]

So let me get this straight. Slashdot validates their SQL input. But they don't validate their HTML conformance?

What about bobby tables?

[0100010001010011]

This guy should rename his name to Bobby Tables at the same time. Imagine the number of newspapers that would try to do a press release, but couldn't.

Re:What's up with the confusing article title?

[Stavr0]

Firm To Drop Database, Web Server 0-Days

The verb to drop has specific meaning w.r.t. databases. A few more words in the title would have been acceptable.

Perhaps "Firm to GRANT SELECT ON database, web server 0-days TO PUBLIC"

Re:What's up with the confusing article title?

[tag]

The verb to drop has specific meaning w.r.t. databases.

There's an xkcd for that.

Re:Responsible Disclosure

I am in favor of mandatory masturbation (to prevent the need for abortions.)

Re:What's up with the confusing article title?

[tftp]

PS: wikipedia was complaint, its should applauded for its effort.

What have I done to deserve this pain?

Re:Irresponsible

A Russian court. Believe it or not there are legal systems outside the US.

Re:Responsible Disclosure

The one where an unknown number of people in the world know how to exploit it before the patch.

FTFY.

FTFY.

Re:Responsible Disclosure

[davester666]

A) Fix the bugs that people are experiencing problems with RIGHT NOW with exploits in the wild, or

B) Fix the bugs that are "theoretical" and MAY be exploited at some point in the future if somebody else finds it?

But how do you know if it's being exploited in the wild or not? Vendors are unlikely to know, security researchers and the anti-virus companies might. The best exploits are written so the end-user doesn't notice anything bad has happened.

And even if it's not, is it wise to wait until AFTER, say, some business notices that their computer/web site gets hacked because of the exploit, stealing a million credit card numbers before the vendor bothers to fix the bug?

Maybe this kind of thing will result in more problems for purchasers in the near term, which may result in more pressure for vendors to produce higher quality software in the longer term? HAHAHA, I made myself laugh at that...

Re:What's up with the confusing article title?

[ais523]

I can't figure out if you came up against Muphry's Law there, or if Slashdot's parsing decided to do it for you...