[ISN] Microsoft Rallies Industry Against Bug Anarchy

From: InfoSec News (isnat_private)
Date: Wed Oct 17 2001 - 01:12:53 PDT

  • Next message: InfoSec News: "[ISN] Microsoft once again takes the low road..."

    By Brian McWilliams, Newsbytes
    16 Oct 2001, 1:37 PM CST
    Pushed to the brink by recent Internet worm outbreaks, Microsoft hopes
    to rally the computer industry against those who improperly publish
    information about security vulnerabilities.
    In an editorial at Microsoft's site, Scott Culp, head of the company's
    Security Response Center, announced the initiative against what he
    called "information anarchy."
    According to Culp, the damage caused by worms such as Code Red and
    Nimda can be blamed in part on computer security professionals who
    discovered the software flaws exploited by the malicious,
    self-propagating programs.
    "The people who wrote (the worms) have been rightly condemned as
    criminals. But they needed help to devastate our networks ... It's
    high time the security community stopped providing blueprints for
    building these weapons," he said.
    According to Culp, recent worms have relied on techniques and even
    specific software instructions published by security firms in their
    advisories about software bugs.
    "Clearly, the publication of exploit details about the vulnerabilities
    contributed to their use as weapons ... It's simply indefensible for
    the security community to continue arming cybercriminals," he said.
    Microsoft's editorial is the latest salvo in the debate between
    security experts and software vendors over what is called "full
    In Microsoft's view, the only prudent policy is to work with vendors
    and not disclose vulnerability information to the public until a patch
    is available - and then only to disclose enough information so that
    administrators can decide whether to apply the fix without being at
    risk if they don't.
    "This is not a call to stop discussing vulnerabilities. Instead, it is
    a call for security professionals to draw a line beyond which we
    recognize that we are simply putting other people at risk," said Culp.
    To exert economic pressure on security consultants to adopt this
    approach, Microsoft recommends that customers ask consultants for
    their policy on disclosing information about security bugs they
    Chris Rouland, director of the X-Force team at Information Security
    Systems, said the software and consulting firm shares Microsoft's
    viewpoint on the dangers of releasing bug exploits.
    "We question the ethics and business value of arming individuals with
    the ability to break into computers," said Rouland.
    John Pescatore, research director for Internet security at Gartner,
    agreed that publishing information on how to exploit security bugs is
    potentially harmful. But he said Microsoft is dodging its
    responsibility to ship products with fewer vulnerabilities.
    "The biggest problem system administrators have is not that people are
    giving out detailed blueprints on how to attack vulnerabilities; it is
    that many of the vulnerabilities that come out in IIS and other
    software are so huge that minimally skilled hackers can exploit them
    on their own," said Pescatore.
    Richard Forno, chief technology officer for Shadowlogic, an
    information assurance firm, said software vendors have a vested
    interest in keeping vulnerability information private.
    "Without such widespread public knowledge and awareness of these
    problems, vendors can take their time addressing these concerns, if
    they even address them at all. Microsoft is by far the most notorious
    in their vulnerability announcements, legalese and cover-their-tail
    security alerts," said Forno.
    Microsoft's editorial is aimed in part at Eeye Digital Security, the
    security software firm that discovered the bug in Microsoft's IIS
    Webserver that was exploited by Code Red a month later.
    In its June bulletin about the vulnerability, Microsoft thanked eEye
    "for reporting this issue to us and working with us to protect
    customers." But Culp told Newsbytes today that Microsoft was unhappy
    with the detailed information Eeye published about the bug.
    "We believe that they provided information in their advisory that was
    specific enough to help the people who wrote Code Red," said Culp.
    Representatives of Eeye, which never released an exploit for the IDA
    vulnerability, were not immediately available for comment.
    Discussions by security professionals of eEye's advisory on security
    mailing lists such as Bugtraq contained additional information on how
    to exploit the so-called "IDA" buffer overflow bug, according to Culp,
    who said editors of such lists should consider blocking messages that
    contain exploit code.
    Besides acknowledgments in its security bulletins, Microsoft plans to
    develop additional means of encouraging security professionals to
    adopt its limited-disclosure stance.
    "It's time for the security community to get on the right side of this
    issue," he said.
    The editorial on responsible disclosure is at:
    Microsoft's policy for acknowledging security professionals in its
    bulletins is at:
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Oct 17 2001 - 03:02:24 PDT