http://www.newsbytes.com/news/01/168934.html By Brian McWilliams, Newsbytes ALISO VIEJO, CALIFORNIA, U.S.A., 10 Aug 2001, 5:11 PM CST The damage toll from the Code Red worm has sparked a new debate over what security experts call "full disclosure." Richard M. Smith, chief technology officer for the Privacy Foundation, today criticized the company that found and publicized the glitch in Microsoft's Internet Information Server (IIS) which led to the creation of the malicious worm and a copy-cat. "Was it really necessary for eEye Digital Security to release full details of the IIS buffer overflow that made the Code Red I and II worms possible? I think the answer is clearly no," wrote Smith in a message to the Bugtraq security mailing list today. Eeye published a detailed advisory about the new IIS flaw on June 18, the same day that Microsoft released its own bulletin and a patch to correct the problem. In its description of the problem, Microsoft thanked eEye for working with the company "to protect customers." On Wednesday, Computer Economics, an information technology cost research firm, put the total economic pricetag of the Code Red worm at more than $2 billion, based on an estimate that 760,000 computers worldwide were infected. According to Smith, those figures are "total hype." But he said that if eEye had released details about the bug only to the big software company, organizations that use Microsoft's IIS software would have been spared the considerable expense and effort of cleaning up after Code Red. "One thing is now crystal clear with Code Red: full-disclosure comes with one of hell of a price tag. There has to be a better way," said Smith. As first reported by Newsbytes, the original Code Red worm was identified on July 17. A second worm, dubbed Code Red II, which preyed on the same vulnerability, began appearing on Aug. 4. The authors of both worms have not been identified. In a seething rebuttal to Smith's posting, Marc Maiffret, chief hacking officer for eEye, denied that the firm was indirectly responsible for the worm. According to Maiffret, "This sort of ignorance being spread in a public forum is just one of the many things wrong with the security industry." As proof that withholding security vulnerability information can ultimately hurt computer users, Maiffret pointed to an earlier, related worm released last spring which exploited a different, unpublished vulnerability in IIS but didn't spread widely. According to a report published Monday in the Wall Street Journal, the worm infected a Department of Energy research laboratory last April. The lab called in the FBI, but the agency reportedly took no action. Maiffret said Microsoft subsequently released a fix for the flaw as part of a bundle of patches, without publicizing the vulnerability. "Therefore (intrusion detection system) vendors never had a signature ... If a security company had found the flaw, then there would have been details, signatures made, and IDS systems would have detected the first instance of Code Red," said Maiffret. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Sat Aug 11 2001 - 04:19:09 PDT