Intelligence - Baseline
Home arrow Intelligence arrow Security Appliance Vendors Blasé About CSRF Flaws



IBM Preps Carbon Transistors for Post-Silicon Era
IT Lessons from Toyota`s Fiasco
NIST Shrinks Antennas 50-fold with Metamaterials









Renew Your Subscription

  Intelligence


Security Appliance Vendors Blasé About CSRF Flaws
By Lisa Vaas
2007-07-03

Article Views: 1258
Article Rating:starstarstarstarstar / 0


Rate This Article:
Poor Best
Add This Article To:
News Analysis: Researchers say security appliance makers are being lax about fixing an arcane vulnerability.

Security appliance makers are shrugging off CSRF (cross-site request forgery) vulnerabilities in their products—products that sit at the crossroads of enterprise protection.

The vulnerable appliances, unified threat management products, "certainly are an important part of an enterprise's security," said Billy Hoffman, lead researcher for SPI Dynamics' SPI Labs, in Atlanta. "I'm kind of surprised [that appliance vendors have been dismissive of the CSRF flaws]—I'd be surprised if there were not people inside the [organizations] that are saying, 'We need to fix this.'"

Resource Library:
On July 26, security firm Calyptix announced the CSRF flaws, which the company said it had found on eight vendors' UTM appliances. Check Point, one of the eight vendors, on the same day announced an update to multiple versions of its Safe@Office UTM device that had been vulnerable to the problem.

Of the seven other UTM vendors, reaction has been close to nil. Only one told eWEEK that the vulnerability had been addressed, and another told Calyptix that the vulnerability is being investigated. While their products remain vulnerable—or, at the least, until the vendors respond to eWEEK's queries as to whether they're investigating and can confirm or deny their products' vulnerability—Calyptix and eWEEK are refraining from naming the vendors, in the spirit of responsible disclosure.

One vendor whose spokesman said the vulnerability has been fixed, eSoft, was irked enough by Calyptix's claims to file a complaint against the company with CERT. "Not sure what [Calyptix is] up to, but they definitely did not do their homework," said the spokesman, in an e-mail exchange. "We complained to CERT, because [Calyptix] 'cried wolf' to CERT as well."

The spokesman said that eSoft has already fixed the CSRF vulnerability, although he told eWEEK he couldn't recall when.

Read the full story on eWEEK.com: Security Appliance Vendors Blasé About CSRF Flaws



Discuss Security Appliance Vendors Blasé About CSRF Flaws
 
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Intelligence Articles          >>> More By Lisa Vaas
 



Sponsored Links
  • Servers that cut energy costs by 95%? Cool.
  • Come see the Benefits of Desktop Virtualization on 3/18/10.
  • Simplicity is Power. Start simplifying with Citrix
  • Register for WES 2010 by March 26 and save $200.
  • FREE Sophos Encryption Tool: Encrypt, compress and share files easily.
  • CDW Healthcare offers the IT solutions you need.
  • One number. One voicemail. Sprint Mobile Integration.

     
    		•
     
    FEATURED SPONSORED MESSAGE

      Microsoft Windows Server 2008 R2

      Building on the award-winning foundation of Windows Server 2008, R2 enables IT professionals to increase the reliability and flexibility of their server infrastructures.

      Access a trove of Microsoft resources, analyst white papers, and multimedia presentations on Windows Server 2008 R2.

      Click Here

       Brought to You By
    FEATURED SPONSORED MESSAGE

     

    Related Content

    Articles Labs/How-To Multimedia
    LATEST STORIES
    - 10 Ways to Make Yourself Layoff Proof
    - 11 Ways to Make Your Coworkers Hate You
    - Eight Ways to Slice Your Tax Bill
    - 40 Fast Facts on Apple
    - Tech Titans Among World Powers


     

     

    rss graphic
           Baseline Newsletters

    Baseline:  

    Issue Index | Contact Us | About | Media Kit | Magazine Customer Service | Navigation Guide

    Quick Links:  

    Project Planners | Enterprise Resource Planning | Network and Online Security | Data Analysis | Process Management | Storage Devices| Link to Us

    Ziff Davis Enterprise Home | Contact Us | Advertise | Link to Us | Reprints | Magazine Subscriptions | Newsletters
    Tech RSS Feeds | White Papers | Tech Podcasts | Tech Video | VARs | System Builder

    Baseline | Careers | Channel Insider | CIO Insight | DesktopLinux | DeviceForge | DevSource | eSeminars |
    eWEEK | Enterprise Network Security | LinuxDevices | Linux Watch | Microsoft Watch | Mid-market | Networking | PDF Zone |
    Publish | Security IT Hub | Strategic Partner | TechDirect | Web Buyer's Guide | Windows for Devices

    Developer Shed | Dev Shed | ASP Free | Dev Articles | Dev Hardware | SEO Chat | Tutorialized | Scripts |
    Code Walkers | Web Hosters | Dev Mechanic | Dev Archives | igrep

    Use of this site is governed by our Terms of Use and Privacy Policy

    Copyright ©1996-2010 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.