http://www.newsbytes.com/news/01/171173.html By Brian McWilliams, Newsbytes REDMOND, WASHINGTON, U.S.A., 16 Oct 2001, 1:37 PM CST Pushed to the brink by recent Internet worm outbreaks, Microsoft hopes to rally the computer industry against those who improperly publish information about security vulnerabilities. In an editorial at Microsoft's site, Scott Culp, head of the company's Security Response Center, announced the initiative against what he called "information anarchy." According to Culp, the damage caused by worms such as Code Red and Nimda can be blamed in part on computer security professionals who discovered the software flaws exploited by the malicious, self-propagating programs. "The people who wrote (the worms) have been rightly condemned as criminals. But they needed help to devastate our networks ... It's high time the security community stopped providing blueprints for building these weapons," he said. According to Culp, recent worms have relied on techniques and even specific software instructions published by security firms in their advisories about software bugs. "Clearly, the publication of exploit details about the vulnerabilities contributed to their use as weapons ... It's simply indefensible for the security community to continue arming cybercriminals," he said. Microsoft's editorial is the latest salvo in the debate between security experts and software vendors over what is called "full disclosure." In Microsoft's view, the only prudent policy is to work with vendors and not disclose vulnerability information to the public until a patch is available - and then only to disclose enough information so that administrators can decide whether to apply the fix without being at risk if they don't. "This is not a call to stop discussing vulnerabilities. Instead, it is a call for security professionals to draw a line beyond which we recognize that we are simply putting other people at risk," said Culp. To exert economic pressure on security consultants to adopt this approach, Microsoft recommends that customers ask consultants for their policy on disclosing information about security bugs they discover. Chris Rouland, director of the X-Force team at Information Security Systems, said the software and consulting firm shares Microsoft's viewpoint on the dangers of releasing bug exploits. "We question the ethics and business value of arming individuals with the ability to break into computers," said Rouland. John Pescatore, research director for Internet security at Gartner, agreed that publishing information on how to exploit security bugs is potentially harmful. But he said Microsoft is dodging its responsibility to ship products with fewer vulnerabilities. "The biggest problem system administrators have is not that people are giving out detailed blueprints on how to attack vulnerabilities; it is that many of the vulnerabilities that come out in IIS and other software are so huge that minimally skilled hackers can exploit them on their own," said Pescatore. Richard Forno, chief technology officer for Shadowlogic, an information assurance firm, said software vendors have a vested interest in keeping vulnerability information private. "Without such widespread public knowledge and awareness of these problems, vendors can take their time addressing these concerns, if they even address them at all. Microsoft is by far the most notorious in their vulnerability announcements, legalese and cover-their-tail security alerts," said Forno. Microsoft's editorial is aimed in part at Eeye Digital Security, the security software firm that discovered the bug in Microsoft's IIS Webserver that was exploited by Code Red a month later. In its June bulletin about the vulnerability, Microsoft thanked eEye "for reporting this issue to us and working with us to protect customers." But Culp told Newsbytes today that Microsoft was unhappy with the detailed information Eeye published about the bug. "We believe that they provided information in their advisory that was specific enough to help the people who wrote Code Red," said Culp. Representatives of Eeye, which never released an exploit for the IDA vulnerability, were not immediately available for comment. Discussions by security professionals of eEye's advisory on security mailing lists such as Bugtraq contained additional information on how to exploit the so-called "IDA" buffer overflow bug, according to Culp, who said editors of such lists should consider blocking messages that contain exploit code. Besides acknowledgments in its security bulletins, Microsoft plans to develop additional means of encouraging security professionals to adopt its limited-disclosure stance. "It's time for the security community to get on the right side of this issue," he said. The editorial on responsible disclosure is at: http://www.microsoft.com/technet/columns/security/noarch.asp Microsoft's policy for acknowledging security professionals in its bulletins is at: http://www.microsoft.com/technet/security/bulletin/policy.asp - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Oct 17 2001 - 03:02:24 PDT