Abaddon absolutely did the right thing. Cisco's position that this is fixed is absolutely incorrect. What they have done is made sure that new systems are not vulnerable from the XML vector for any new equipment. They have severely underplayed the potential for disaster here and made no active effort at all to strongly encourage their federal customers fix this immediately. Shame on them for letting it get this far. I am not sure what the basis of ISS's claim that they have a fix for this is based on. Are they going to put a Proventia box in front of the router? Shame on ISS for letting a vendor sweep this under. While Cisco has a big problem with its gear and IOS, ISS has a far bigger problem in that the trust level they have developed over the years is absolutely gone. Matters of national security cannot be driven by corporate greed. It was bad enough when Enron destroyed the peoples ability to retire. Mike has made the single strongest case for open source and full disclosure. I too have known Mike for years and I am immensely proud of him. People are not harping on the real problem, that being that once virtual processes are an integral part of IOS this will be easy to script and worm.

Posted by: Warguppy at August 2, 2005 02:26 AM

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11259/32233#32233