Vendors still use the “legal” weapon

By Thomas Kristensen

In these days, one would have believed that vendors have learned the lesson not to threaten with legal actions to withhold and suppress significant information about vulnerabilities in their products.

Well, nonetheless, Secunia just received a sequel of letters from Autonomy, likely not known to many, but it is the software company that supplies the "Swiss Army Knife" in handling and opening documents in well known software like IBM Lotus Notes and Symantec Mail Security.

First a little background information
The communication between Autonomy and their OEM customers regarding which versions of their KeyView software that fix given vulnerabilities has failed again and again. This has been a mess to sort out and Secunia has had to spent hours verifying what e.g. was fixed by IBM and what was fixed by Symantec – because apparently the versioning of the KeyView software is different whether used by Symantec, IBM, or others.

We've managed to figure this out and occasionally this has caused one of Autonomy's OEM customers to have unpatched publicly known vulnerabilities in their products. All thanks to Autonomy's apparent inability to co-ordinate the release of new vulnerability fixes with their customers.

Now, Autonomy has become fed up with handling all these vulnerabilities and believe that it is time to control what Secunia writes about. Autonomy wants Secunia to withhold information about the fact that vulnerability SA27835 in Keyview Lotus 1-2-3 File Viewer, which has been fixed by IBM, obviously also affects Autonomy's own versions 9.2 and 10.3 of KeyView.

According to Autonomy, publishing an advisory would be misleading and cause confusion because the issues already have been fixed; in fact, they believe that this would cause the public to believe that there are more issues in their product than is the case!

Now that is an interesting logic.

Sorry Autonomy, writing an advisory that states which vulnerabilities have been fixed and in which versions is in no way misleading or confusing – even for "historical" issues.

What is really interesting here is the fact that the Vulnerability Database services offered by Autonomy's own customers IBM and Symantec (ISS X-Force and Securityfocus respectively) still (at the time of publishing) don't show information about the fact that patches are available for the Lotus 1-2-3 issue – while Secunia, who Autonomy accuses of publishing misleading information, correctly reflects the fact that Autonomy offers patches.

However, this doesn't seem to be a concern for Autonomy or perhaps their legal department also treats their own customers in the same way as Secunia is treated?

What is misleading and confusing in this whole case is the apparent lack of co-ordination between Autonomy and Autonomy's OEM customers, the lack of clear, precise public statements about vulnerabilities and security fixes.

If Autonomy wants to avoid "misleading" and "confusing" communication, then Autonomy ought to start publishing bulletins such as those made by most other serious and established software vendors (e.g. Microsoft and their own customers IBM and Symantec) with clear information about the type of vulnerability, potential attack vectors, potential impacts, affected versions, and unaffected versions – it's really that simple.

Naturally, Autonomy should also communicate to their own customers (IBM and Symantec) that patches addressing vulnerabilities are available so that both their products and their Vulnerability Database services are updated.

Our response to these claims and accusations
Despite Autonomy's unsubstantiated legal threats, Secunia will quite legally continue to do vulnerability research in Autonomy products and any other products of interest. Naturally, Secunia will also continue to publish research articles and advisories in an unbiased, balanced, accurate, and truthful manner as we serve one purpose only: To provide accurate and reliable Vulnerability Intelligence to our customers and the Internet in general.

Secunia is in continuous, ongoing, and positive dialogues with most vendors including large professional organisations like Microsoft, IBM, Adobe, Symantec, Novell, Apple, and CA. All understand and respect the need for informing the public about vulnerabilities and prefer to co-ordinate and synchronise the publication with important Vulnerability Intelligence sources such as Secunia rather than battling to keep things secret. It is truly sad to see that certain vendors like Autonomy still behave like many software vendors did back in the previous millennium.

Copies of all correspondence in this "matter" is available below in chronological order, enjoy:
1. Email from Secunia 20071128.pdf
2. Letter from Autonomy 20071202.pdf
3. Email from Secunia 20071203.pdf
5. Letter from Autonomy 20071203.pdf
4. Email from Secunia 20071204.pdf
6. Letter from Autonomy 20071205.pdf

Kindest regards,

Thomas Kristensen
CTO, Secunia