Recently, there are several discussion and public criticism in the Internet after IBM ISS X-Force published advisories on their competitor's product (ServerProtect) and criticised them (TrendMicro) on how they handle those vulnerabilities.
According to the X-Force blog posting, they discovered a total of eight vulnerilities in Trend Micro ServerProtect. Some reported to TrendMicro as early as 2006 and the latest disclosed in January 2008. After every report, TrendMicro would assure ISS that it will be fixed in the next scheduled patch.
ISS claims that for all the vulnerabilities reported, TrendMicro either ignored them or the solution implemented was inadequate. They even found a patch that can be easily evaded. ISS also claims that everytime they reported the vulnerabilities to TrendMicro, documentation and links to MSDN articles were provided to assist them. When the communication with TrendMicro comes to "dead-end", ISS also try to communicate with them via CERT/CC and JP-CERT. But it also hit "dead-end".
After facing some many problems with TrendMicro and for the benefit of their customers, ISS X-Force decided to published those advisories with technical details.
There have been mixed reactions on whether ISS did the right thing by disclosing the vulnerability. Some have criticized ISS for breaking industry code and question them if they will do the same if their products was at fault.
Below are the IBM ISS X-Force Trend Micro ServerProtect Advisories:
- CVE-2006-5268 - Trend Micro ServerProtect Unauthenticated Remote Administration
- CVE-2006-5269 - Trend Micro ServerProtect [PROCEDURE NAME REDACTED] Heap Overflow
- CVE-2007-0072 CVE-2007-0073 CVE-2007-0074 - Trend Micro ServerProtect [PROCEDURE NAME REDACTED] Heap Overflows (3)
- CVE-2008-0012 CVE-2008-0013 CVE-2008-0014 - Trend Micro ServerProtect [PROCEDURE NAME REDACTED] Heap Overflows (3)
- Computerworld: IBM's ISS blasts security rival Trend Micro over bugs
- Frequency X blog: The Scoop on the X-Force TrendMicro Advisories