Yesterday the SANS Institute Internet Storm Center blog Handler's Diary covered the story. The article concludes with:
So given the facts above, are you asking the right questions of your vendors? How certain are you thatyour favorite software vendor is writing secure code? Do you have the ability to change software packages if you find that a product has been found to have basic programming errors? And can your organization afford to let known holes live unpatched for 1.5 years?
These are all good questions to ask, but give a misleading impression of how IBM handled the situation. Here's how IBM worked with NGSS from an inside perspective...
In 2004 David Litchfield at NGSS contacted IBM to advise that he was planning to look at Informix Dynamic Server and asked if we could provide him with some software. This enquiry was welcomed by IBM as it was known that NGSS is responsible in giving vendors time to fix problems discovered before announcing them, and gave us the opportunity to discover and resolve problems in a controlled manner, the end result being a much more secure product, so a recent copy of IDS was sent to NGSS for testing.
We were aware of press reports about Oracle having yet to address hundreds of security problems discoverd by NGSS so set about putting together an international team of advanced support, development engineers and IDS architects to address any reported problems as quickly as possible as well as look for unreported problems in these areas of the code. Beginning in January 2005 problem reports started coming in and around 20 individual problems were reported to us in total and each one was immediately assigned an owner to reproduce the problem, log a defect and start fixing it. Each fix was peer reviewed, development reviewed and put through QA. Some problems were determined to be duplicates of known problems which were already fixed, others were determined to be test case errors, some fixes resolved multiple problems. For the purposes of IBM's announcement these problems were categorized into 14 individual fixes, which started appearing in IDS fix-packs around May 2005. Throughout this process NGSS and IBM actively co-operated in understanding and reproducing the problems.
So if the problems were fixed and in IDS fix packs a year ago why did IBM only recently announce them? From the beginning the announcement was planned to coincide with David Litchfield's announcement to make sure as many customers as possible already had the fixes in place before they were published (this is particularly important for older code branches like 7.31 which has an annual fix-pack release cycle). David informed us a few weeks ago that he would be publicising them at Black Hat 2006 so the IBM announcement was made the day before. The main goal for IBM throughout was to learn from the mistakes of other database companies and make sure that the fix for every problem was in generally available versions of IDS before it was made public. This goal was achieved.