[ISN] Security Firm Blamed For Code Red Costs

From: InfoSec News (isnat_private)
Date: Sat Aug 11 2001 - 00:05:12 PDT

  • Next message: InfoSec News: "RE: [ISN] The Code Red hype Hall of Shame"

    By Brian McWilliams, Newsbytes
    10 Aug 2001, 5:11 PM CST
    The damage toll from the Code Red worm has sparked a new debate over
    what security experts call "full disclosure."
    Richard M. Smith, chief technology officer for the Privacy Foundation,
    today criticized the company that found and publicized the glitch in
    Microsoft's Internet Information Server (IIS) which led to the
    creation of the malicious worm and a copy-cat.
    "Was it really necessary for eEye Digital Security to release full
    details of the IIS buffer overflow that made the Code Red I and II
    worms possible? I think the answer is clearly no," wrote Smith in a
    message to the Bugtraq security mailing list today.
    Eeye published a detailed advisory about the new IIS flaw on June 18,
    the same day that Microsoft released its own bulletin and a patch to
    correct the problem. In its description of the problem, Microsoft
    thanked eEye for working with the company "to protect customers."
    On Wednesday, Computer Economics, an information technology cost
    research firm, put the total economic pricetag of the Code Red worm at
    more than $2 billion, based on an estimate that 760,000 computers
    worldwide were infected.
    According to Smith, those figures are "total hype." But he said that
    if eEye had released details about the bug only to the big software
    company, organizations that use Microsoft's IIS software would have
    been spared the considerable expense and effort of cleaning up after
    Code Red.
    "One thing is now crystal clear with Code Red: full-disclosure comes
    with one of hell of a price tag. There has to be a better way," said
    As first reported by Newsbytes, the original Code Red worm was
    identified on July 17. A second worm, dubbed Code Red II, which preyed
    on the same vulnerability, began appearing on Aug. 4. The authors of
    both worms have not been identified.
    In a seething rebuttal to Smith's posting, Marc Maiffret, chief
    hacking officer for eEye, denied that the firm was indirectly
    responsible for the worm. According to Maiffret, "This sort of
    ignorance being spread in a public forum is just one of the many
    things wrong with the security industry."
    As proof that withholding security vulnerability information can
    ultimately hurt computer users, Maiffret pointed to an earlier,
    related worm released last spring which exploited a different,
    unpublished vulnerability in IIS but didn't spread widely.
    According to a report published Monday in the Wall Street Journal, the
    worm infected a Department of Energy research laboratory last April.
    The lab called in the FBI, but the agency reportedly took no action.
    Maiffret said Microsoft subsequently released a fix for the flaw as
    part of a bundle of patches, without publicizing the vulnerability.
    "Therefore (intrusion detection system) vendors never had a signature
    ... If a security company had found the flaw, then there would have
    been details, signatures made, and IDS systems would have detected the
    first instance of Code Red," said Maiffret.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Sat Aug 11 2001 - 04:19:09 PDT