http://www.wired.com/news/infostructure/0,1377,56463,00.html By Michelle Delio Nov. 19, 2002 To disclose or not disclose -- it's a question that's been under heavy discussion in the computer security industry over the past year. U.S. cybersecurity director Richard Clarke and virtually all software companies insist that software vendors should have a chance to fix problems before security researchers disclose them publicly. Researchers counter that without full disclosure, companies often fail to swiftly patch security holes. Full disclosure, in theory, also alerts computer users to problems that are already known to malicious hackers, who often exploit holes before patches become available. But a recent post on security news mailing list BugTraq has infuriated some who normally favor full disclosure. The post details how a bit of programming code embedded in a Web page can reformat site visitors' hard drives, deleting all files stored on the affected drive. The exploit affects users running Microsoft Internet Explorer browser versions 5.5 or 6.0. "Even if you are in favor of full disclosure, that post falls far outside of the accepted parameters for a public forum," said security expert Richard Smith. "I don't understand how publishing this kind of malicious code increases security. Symantec (which hosts the SecurityFocus website and BugTraq mailing list) is just helping out the script kiddies. "BugTraq is a moderated list, so it has the choice of what messages are sent out to the list and which ones are rejected," Smith added. "Why wasn't this message rejected?" Symantec spokeswoman Genevieve Haldeman said the vulnerability was approved for posting on Bugtraq. "The vulnerability is well-known within the security community and the information posted on Bugtraq was information that had been copied or linked from other public forums," Haldeman said. "This particular exploit has the potential to cause tremendous damage to systems, and security experts need to be aware that this vulnerability is being exploited in the wild to cause damage." Haldeman added that Symantec maintains Bugtraq for the security community as an independent entity under the SecurityFocus brand. The site's purpose is to foster objective reporting by security experts on the latest tech threats and attacks. Appropriate content would include "specific exploit programs, scripts or detailed processes about security vulnerabilities," Haldeman said. "It is critical to maintain the integrity of the community. We believe that its current disclosure policy is appropriate for the venue," Haldeman said of Bugtraq. "Symantec operates with a separate disclosure policy for vulnerabilities found by our customers or researchers." Smith disagreed. "Showing people how to automatically format hard disks from a Web page isn't 'full disclosure,'" Smith said. "It is malicious code writing. To an outsider, Symantec's actions give the impression that they are encouraging people to create and release malicious code. Given that Symantec also sells security and antivirus software, I think there is a terrible conflict of interest here." The exploit in question was originally discovered by security researcher Andreas Sandblad earlier in November. Since Sandblad published his report, several exploits -- which have been demonstrated on a half-dozen or more websites -- have been developed. Most of the published exploits did no damage to a user's computer, but demonstrated how it was possible to control the affected computer remotely. Other security experts said publishing the hard-drive exploit was a double-edged sword. "The new information enabled me to add to some rudimentary precautions I'd taken previously based on earlier information," said Gary Flynn, a security engineer at James Madison University. "But, of course, it also made it easier for others to take advantage of the situation." Flynn has posted a Web page documenting the problem and offering possible workarounds. A Microsoft spokeswoman said the Microsoft Security Response Center investigated the security hole as soon as it was reported. Some of the possible ways to exploit the hole have already been addressed in security patches, the spokeswoman said, but added that Microsoft is "investigating the issues discussed in the report, and examining whether there are future changes we could make to provide additional defense in-depth." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Nov 19 2002 - 15:10:48 PST