TUCoPS :: General Information :: fd.htm

Can we afford full disclosure of security holes?
Can we afford full disclosure of security holes?

Can we afford full disclosure of security holes?



From: Richard M. Smith

Sent: Friday, August 10, 2001 1:39 PM

To: BUGTRAQ@SECURITYFOCUS. COM

Subject: Can we afford full disclosure of security holes?



Hello,



The research company Computer Economics is calling Code Red 

the most expensive computer virus in the history of the Internet.  

They put the estimated clean-up bill so far at $2 billion.  

I happen to think the $2 billion figure is total hype,

but clearly a lot of time and money has been spent cleaning up after Code Red.



For the sake of argument, let's say that Computer Economics

is off by a factor of one hundred.  That still puts the 

clean-up costs at $20 million.  



This $20 million figure begs the question was it really 

necessary for eEye Digital Security to release full details 

of the IIS buffer overflow that made the Code Red I and II worms 

possible?  I think the answer is clearly no.



Wouldn't it have been much better for eEye to give the details 

of the buffer overflow only to Microsoft?  They could have still 

issued a security advisory saying that they found a problem in IIS 

and where to get the  Microsoft patch.  I realized that a partial 

disclosure policy isn't as sexy as a full disclosure policy, but 

I believe that less revealing eEye advisory would have saved a lot 

companies a lot of money and grief.



Unlike the eEye advisory, the Microsoft advisory on the IIS 

security hole shows the right balance.  It gives IIS customers 

enough information about the buffer overflow without giving a recipe 

to virus writers of how to exploit it.



Thanks,

Richard M. Smith



From: Richard M. Smith  

Sent: Sunday, August 12, 2001 10:17 AM

To: 'BUGTRAQ@SECURITYFOCUS. COM'

Subject: The common sense argument against full disclosure.



Hello,



Thanks for all the replies to my previous Bugtraq message 

entitled "Can we afford full disclosure of security holes?".  



The best answer I got back against full disclosure of security 

holes was in an eEye press release of May 1, 2001 which quoted 

Marc Maiffret:



   http://www.eeye.com/html/press/PR20010501-2.html



   May 1, 2001 - eEye Digital Security Announces 

   Major Vulnerability in Microsoft(R) Windows 2000 

   IIS 5.0 Web Server Software



   "We have shared the exploit with Microsoft to 

   demonstrate the seriousness of our finding. eEye 

   has decided not to release the exploit to the general 

   public given the potential abuse by malicious 

   individuals." 



Most folks that I know who find security holes in products also 

follow this same common sense rule of partial disclosure.  They 

leave out details of a security hole in a public advisory that 

might be used to exploit a security hole by the bad  guys.  They 

use their own good judgment when writing a security advisory where 

to draw the line of providing too much information about a security 

hole that might be misused.  If other security folks do need more 

details about a problem, then this information is typically provided 

privately with an understanding that it needs to be kept confidential.



As an example of over disclosure of information, I think that eEye's 

June 18th advisory on the second IIS buffer overflow error could 

have left out all of the discussion of the EIP smashing.  This 

information primarily benefits the bad guys writing worms and 

Trojan horse and does little to help make IIS systems more secure.  

It is not clear yet if the Code Red author used this eEye information 

on EIP smashing to help produce Code Red.  However even the appearance 

that eEye advisory might have been used to make Code Red possible is 

not good PR given that the EIP smashing information has little or no 

security value.



As an aside, eEye does not appear to follow its own advice.  Over in 

the May 1 advisory for the first IIS buffer overflow they actually 

offer an exploit in the form of a C source file in spite of what the 

May 1 press release says:



   http://www.eeye.com/html/Research/Advisories/AD20010501.html



   Windows 2000 IIS 5.0 Remote buffer overflow 

   vulnerability (Remote SYSTEM Level Access)



   Proof of concept exploit:

   http://www.eeye.com/html/research/Advisories/iishack2000.c 

   This exploit will simply create a file in the root of 

   drive c:\ with instructions on how to patch your vulnerable 

   server. ... We would like to note that eEye Digital Security 

   did provide Microsoft with a working exploit. 



Pretty clearly the eEye May 1 press release and advisory contradict 

each other.  eEye probably needs to get this problem fixed.



BTW, to make one thing very clear, I think that the eEye crew did a 

super job of finding these two IIS buffer overflows and working with 

Microsoft to get them patched.  Their analysis of the Code Red worm 

was also extremely important.  If only Microsoft could do as good of

job of finding these same kinds of problems before shipping products 

like Windows, IIS, Internet Explorer, and Office!



Thanks,

Richard M. Smith

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH