Re: [ISN] Full Disclosure: How Much Security Info Is Too Much?

From: InfoSec News (isnat_private)
Date: Thu Oct 04 2001 - 01:04:58 PDT

  • Next message: InfoSec News: "[ISN] 80,000 Microsoft IIS servers "disappear" from the Internet"

    Forwarded from: Kim Zetter/PCWORLD <kzetterat_private>
    Per Jay Lyman's story about full disclosure at NewsFactor Network
    (, he wrote:
    > Experts agree that advisories, by their very nature, may be a heads-up
    > to hackers. eEye Security came under fire for disclosing the Code Red
    > vulnerability in June before Microsoft had released a patch for the
    > hole, and again for releasing detailed information after Code Red was
    > controlled, which some blamed for the success of the Code Red II virus.
    I'm not sure where Lyman got his info but, according to eEye (and per
    the story I wrote about it at,aid,60744,00.asp )
    the company notified Microsoft of the vulnerability in May and waited
    a month for the patch to be produced before making their announcement
    simultaneously with Microsoft's posting of the patch in June. 
    In fact, Marc Maiffret of eEye says that they were scheduled to post
    the announcement a week earlier, but Microsoft contacted him to ask
    for more time, saying there was a problem with the patch and they
    needed another week to fix it.
    EEye complied. Jay Dyson correctly noted that Microsoft publicly
    thanked the company for waiting until they had prepared the patch.
    InfoSec News <isnat_private> on 10/02/2001 02:29:57 AM
    Please respond to InfoSec News <isnat_private>
    Sent by:  owner-isnat_private
    To:   isnat_private
    Subject:  [ISN] Full Disclosure: How Much Security Info Is Too Much?
    By Jay Lyman
    NewsFactor Network
    October 1, 2001
    The debate over how much detail to release on software security gaps
    and when to go public with potentially sensitive security information
    has experts looking for a middle ground, wherein systems can be
    secured without helping hackers.
    The Code Red and Code Red II virus outbreaks, which capitalized on
    vulnerabilities that were publicized before the viruses spread,
    brought the debate front and center, but the issue presents a constant
    challenge to those who hunt for vulnerabilities.
    Administrators whose systems fell prey to Code Red and Code Red II
    because they lacked the necessary security patches bore much of the
    blame for the spread of the viruses. But when considering the bigger
    picture and the vast numbers of vulnerabilities uncovered every day,
    the situation becomes more complex, according to CERT vulnerability
    handling team leader Sean Hernan.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 06:36:09 PDT