n.runs, Sophos, German laws, and customer safety

The n.runs-SA-2007.027 advisory claims code execution through a UPX file. This claim is inconsistent with the vendor's statement that it's only a "theoretical" DoS:

  http://www.sophos.com/support/knowledgebase/article/28407.html

"A corrupt UPX file causes the virus engine to crash and Sophos
  Anti-Virus to return 'unrecoverable error. leading to scanning being   terminated. It should not be a security threat although repeated   files could cause a denial of service."

It is unfortunate that Germany's legal landscape prevents n.runs from providing conclusive evidence of their claim. This directly affects Sophos customers who want to know whether it's "just a DoS" or not. Many in the research community know about n.runs and might believe their claim, but the typical customer does not know who they are (which is one reason why I think the Pwnies were a good idea). So, many customers would be more likely to believe the vendor. If the n.runs claim is true, then many customers might be less protected than they would if German laws did not have the chilling effect they are demonstrating.

It should be noted that in 2000, a veritable Who's Who of computer security - including Bruce Schneier, Gene Spafford, Matt Bishop, Elias Levy, Alan Paller, and other well-known security professionals - published a statement of concern about the Council of Europe draft treaty on Crime in Cyberspace, which I believe was the predecessor to the legal changes that have been happening in Germany:

  http://homes.cerias.purdue.edu/~spaf/coe/TREATY_LETTER.html

Amongst many other things, this letter said:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

"Signatory states passing legislation to implement the treaty may
  endanger the security of their computer systems, because computer   users in those countries will not be able to adequately protect   their computer systems... legislation that criminalizes security   software development, distribution, and use is counter to that goal,   as it would adversely impact security practitioners, researchers,   and educators."

If I recall correctly, we were assured by representatives that such an outcome would not occur.

• Steve