Germans react badly when people tell them that they have made something imprecise, as an independent researcher who goes by the handle “Acidgen” found out.
Acidgen, who is based in Sweden, found a stack buffer overflow bug in Magix Music Maker 16 software and promptly passed the information to Magix.
After several emails Acidgen also provided Magix with what he describes as a “nonharmful” proof-of-concept (PoC) to demonstrate how the flaw could be exploited. He told the outfit of his plans to publish the flaw and PoC after it was patched.
You would think that Magix would be happy that someone had pointed out the flaw without going public and had done everything by the book.
However Acidgen appears to have then got an email from company’s lawyer threatening a lawsuit for “alleged extortion” for his plans to release a proof-of-concept on the flaw.
Acidgen said the legal threat came out of nowhere. Last he heard was that the company was going to issue a patch.
Then he got a really threatening lawsuit letter saying that they are going to press charges for extortion for the exploit code.
Magix also told him it was alerting antivirus companies of “new viruses” that would “spread” due to his PoC.
According to Dark Reading, the case against Acidgen doesn’t appear to have legs and appeared to be Magix’s legal department trying to blitzkreig the Swede with a fairly hollow threat.
It seems to have backfired somewhat, because an indignant Acidgen decided to reveal the Magix vulnerability yesterday. He did not publish the proof of concept but it should not be difficult for any hacker to work one of those out for themselves.
What appears to have gotten Magix’s goat was Acidgen’s offer to help the vendor further: Acidgen said that he could fuzz for more vulnerabilities “for free.” “I stated and made clear that I’m not trying to extort them or make money,” he says.
It seems Magix’s lawyer has not really got a clue about how things work in the security industry.
On one hand he seems happy that the researcher has sharied his finding with the company, and that it will use the information to “improve its products.”
Then he appears to go off on one. “MAGIX does not appreciate that you are intending to publicly release the Exploit and to cause irreparable harm. As you maybe aware it is illegal to release software which is intended to commit computer sabotage (e.g. Sec. 202c I No. 2 German Criminal Law).
“In addition this announcement together with your offering to have the vulnerability fixed by your company may be considered as an attempted extortion. You may rest assured that MAGIX will enter into all necessary and appropriate legal steps in this regard. In addition MAGIX will inform manufacturers of antivirus software that there might be a new virus based on your code,” the lawyer penned.”
Now it seems that Magix has clammed up about its legal threats and has not responded to press inquiries.
Acidgen said he had no intention of hurting Magix or the security of its clients: That’s why he is still awaiting a fix before releasing the PoC.