Results 1 to 6 of 6

Thread: Finjan: Warning users or scaring up business?

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001

    Finjan: Warning users or scaring up business?

    Windows XP users could be excused for feeling a little less safe this week.

    Security tools maker Finjan Software warned on Wednesday that it found as many as 10 security flaws in the last update to Microsoft's flagship operating system, Windows XP Service Pack 2.

    In a statement that contained few details, the U.K. company claimed that the vulnerabilities could enable attackers to remotely access a victim's files, remove security measures aimed at Internet threats and run programs without any notification to the user.

    Windows XP SP2 "suffers because it is still basically the same operating system and has some major flaws which compromise end-user security," Shlomo Touboul, CEO of the firm, said in statement. "By using Finjan's proactive security solutions...users can enjoy a secure environment that protects them from such vulnerabilities."

    The company did not wait for Microsoft to fix the issues, as many security companies do, and used the announcement to push its own wares as a way to be protected from the threats.

    While security researchers have sometimes outed flaws in Microsoft products before the software giant has published a patch, security companies have generally waited to announce vulnerabilities until Microsoft had a way to protect its customers. Finjan's press release has reopened the debate over what should be considered the responsible disclosure of software flaws.

    In the latest case, Microsoft believes that Finjan's flaw reports are, in many cases, overstated or altogether mistaken, said Debby Fry Wilson, director of marketing for Microsoft's security business and technology unit.

    "We do feel strongly that what they are doing is premature, will cause market confusion and is an overstatement of the breadth and severity," she said. "We are very disappointed that they are engaged in a PR ploy rather than thinking about what is best for customers and the security of customers."

    However, Finjan's CEO maintained that the company is merely warning people that Windows XP Service Pack 2 is not a digital fortress fully protected from Internet attacks. He labeled the press release education, not confabulation.

    "People need to know that they have to be careful--and without education, people won't be careful," Touboul said during an interview with CNET News.com. "I wouldn't say we are scaring people. I don't believe in panic but in very calculated behavior."

    While Touboul did not say whether the company gave Microsoft 30 days to fix the issue, as has become the industry norm, he maintained that Finjan gave the software company enough time, and more than enough information to take care of the issues.

    "We don't want to argue with Microsoft about these things," he said. "We found the 19 vulnerabilities, and we showed that you could take remote control of a computer."

    However, Microsoft's Wilson took issue with Finjan's move, contending that the software giant does not agree on how many of the flaws are real. Moreover, because the security company released the issues piecemeal, the software giant argues that it is not certain that Finjan has even named 10 vulnerabilities.

    "They have been contacting us over time regarding various issues," Wilson said. "But there is no definitive communications between Microsoft and Finjan about 10 specific issues."

    How and when security vulnerabilities should be disclosed has long been debated in the security community. Many researchers believe that companies and individuals should publicly announce vulnerabilities after giving the software maker enough time to fix them. Usually, programmers get a month to fix the problems.

    The line between marketing products and disclosing security vulnerabilities should be well-defined for security companies, said Geoff Shively, chief scientist at security company PivX Solutions.

    "Being a security company, you have to consider the impact on global Internet security before doing anything," he said. PivX has released software flaw advisories and plugged its products, but the company always gives Microsoft adequate time to fix the issues, he said. "Vulnerabilities are too dangerous and too powerful to be used as a marketing tool."

    Software creators are frequently angered by researchers who do not allow them much time to fix problems. A year ago, game information site GameSpy sent a legal warning to an Italian security researcher who had found holes in that company's products. In June 2002, Linux software makers became peeved at security company Internet Security Systems for not giving them enough time to fix a problem before releasing an advisory about the issue.
    Link : http://news.zdnet.com/2100-1009_22-5449269.html

    The Castle (SP2) has been attack!
    -Simon \"SDK\"

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    Shlomo Touboul, CEO of the firm
    A well known English family..............probably crossed the Channel in 1066 avec Guiaume Le Batarde.

    Finjan have been around for a while, I have one of their products that must be four or five years old. It is an odd one, as Finjan are not that well known, and these flaws were probably there from day one..........?.............I am in the UK and haven't seen any marketing effort from Finjan, so what are they up to?

    Thanks Simon, I shall keep an eye on this one, it is strange?

  3. #3
    We don't want to argue with Microsoft about these things," he said. "We found the 19 vulnerabilities, and we showed that you could take remote control of a computer.
    I bet each vuln has to do with:
    1. Getting a downloaded .exe to run w/o a warning
    2. Getting a .exe to receive connections by adding an exception in the firewall
    3. Disabling the firewall
    4. Disabling the security center

    And I bet they all require the user to be an admin, and the vector has to be a type of social engineering.

    I bet this is a PR ploy. It would take some hardcore security flaws to get remote privledges any other way.

  4. #4
    Senior Member z31200n3's Avatar
    Join Date
    Jan 2004
    Im no security guru. In fact, I prolly know just slightly more than a newb when it comes to security. But, common sense tells me that Finjan is pulling some legs here. Ive been kind of wishy-washy on my feelings for Microsoft over the years. I own multiple windows pc's, one linux box, and two macs. Each system has its flaws, each has its benifits. But, i just cant immagine that a company thats been around that long, has that much of a reputation / profit on the line, would put out an OS that would have mega security flaws allowing access to the machine, w/o the user downloading something, or opening an email attachment, ect. But, again, those have almost nothing to do with the security of the product. They have everything to do with the security of the opperator. Okay, done ranting.


  5. #5
    Join Date
    May 2004
    Well, we've certainly seen microsoft release insanely insecure operating systems in the past while swearing up and down that they were the most secure thing on the block.
    So we certainly can't just assume "Oh, it's microsoft, so of course their product is secure", but at the same time, we can't assume "Oh, someone said they hacked windows 17 ways. Windows is totally insecure."
    I would say since you're dealing with information security it's better to err on the safe side, but it's also better to err on the not-giving-people-money-unless-they-can-back-up-their-big-talk side.

  6. #6
    Junior Member
    Join Date
    Nov 2004
    Finjan is a legitimate company and reputable. I do not doubt them one bit.
    america, F**K YAH!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts