Is there a difference? You be the judge.

Walt Boyes here, stealing Joe's bully pulpit for a moment. MU Security just sent me a press release, quoted below. I submit there is a difference between what this release describes and the infamous Core/Citect incident. And I further submit that the difference is NOT Citect's absolutely abysmal response. I was told by my first boss that he didn't want to hear my problems, he wanted to hear my solutions to my problems. That's what I see happening here, and that's what the entire "grey hat" industry has yet to internalize. They are so involved with playing the "gotcha" game they don't understand the very touchy ethics of playing gotcha with critical infrastructure security. MU appears to have gotten that right. MU DYNAMICS DISCOVERS REMOTE DENIAL OF SERVICE VULNERABILITY IN WIDELY USED VOICE OVER IP ReSIProcate PRODUCT   SUNNYVALE, CA – July 11, 2008 – Mu Dynamics, a pioneer in helping network operators and their vendors eliminate downtime through proactive service assurance, has discovered and helped remediate a new programming flaw in ReSIProcate: A remotely exploitable Denial of Service vulnerability.  The ReSIProcate components, particularly the SIP stack, is currently used in several Voice over IP (VoIP) commercial and open-source products.  The project exists to maintain a complete, correct, and commercially usable implementation of SIP and a few related protocols.   Affected Products/Versions:  repro SIP proxy/registrar 1.3.2; however any product using the ReSIProcate SIP stack 1.3.2 may also be vulnerable.   Product Overview:  ReSIProcate is a SIP stack.  SIP is a protocol used for session establishment that is widely used to support voice-over-IP telephony.  “repro” is a SIP proxy/registrar that uses the ReSIProcate SIP stack.   Vulnerability Details:  A malformed INVITE or OPTIONS message to the “repro” SIP proxy/ registrar can crash the process.  The crash is caused by an assertion failure that occurs when the domain name in the request line URI is too long.   Vendor Response /Solution:  Update to 1.3.3, available from   This bug was also fixed by the ReSIProcate development team in SVN on April 23, 2008 (revision 7628).   History:          July 1, 2008 - First contact with vendor July 1, 2008 - Vendor acknowledges vulnerability July 3, 2008 - Vendor releases 1.3.3 July 10, 2008 - Advisory released Mu-4000 vector: *.request-line.line.dsv.uri.body.string.append-overflow   Credit:  This vulnerability was discovered by the Mu Dynamics research team.   Related Content:  Mu VoIP Case Study - Mu SIP Page - Mu DoS Module - Mu DoS Demonstration -