Can we afford full disclosure of security holes?

From: Richard M. Smith (rmsat_private)
Date: Fri Aug 10 2001 - 11:39:06 PDT

Next message: andrew morgan: "Re: Xerox N40 printers and Code Red worm"

Previous message: Joao Gouveia: "Re: Easily and Remotely Pipe a Covert Shell on phpBB version 1.4.0 and below"
Next in thread: aleph1at_private: "Re: Can we afford full disclosure of security holes?"
Reply: aleph1at_private: "Re: Can we afford full disclosure of security holes?"
Reply: Marc Maiffret: "RE: Can we afford full disclosure of security holes?"
Reply: Bill Arbaugh: "Re: Can we afford full disclosure of security holes?"
Reply: Ryan Russell: "Re: Can we afford full disclosure of security holes?"
Reply: bodzincmat_private: "RE: Can we afford full disclosure of security holes?"
Reply: Scott Blake: "Re: Can we afford full disclosure of security holes?"
Reply: antirez: "Re: Can we afford full disclosure of security holes?"
Reply: Alun Jones: "Re: Can we afford full disclosure of security holes?"
Reply: Chris Wolfe: "Re: Can we afford full disclosure of security holes?"
Reply: Guy Helmer: "RE: Can we afford full disclosure of security holes?"
Reply: Randy Taylor: "Re: Can we afford full disclosure of security holes?"
Reply: Scott Blake: "Re: Can we afford full disclosure of security holes?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

The research company Computer Economics is calling Code Red 
the most expensive computer virus in the history of the Internet.  
They put the estimated clean-up bill so far at $2 billion.  
I happen to think the $2 billion figure is total hype,
but clearly a lot of time and money has been spent cleaning up after
Code Red.

For the sake of argument, let's say that Computer Economics
is off by a factor of one hundred.  That still puts the 
clean-up costs at $20 million.  

This $20 million figure begs the question was it really 
necessary for eEye Digital Security to release full details 
of the IIS buffer overflow that made the Code Red I and II worms 
possible?  I think the answer is clearly no.

Wouldn't it have been much better for eEye to give the details 
of the buffer overflow only to Microsoft?  They could have still 
issued a security advisory saying that they found a problem in IIS 
and where to get the  Microsoft patch.  I realized that a partial 
disclosure policy isn't as sexy as a full disclosure policy, but 
I believe that less revealing eEye advisory would have saved a lot 
companies a lot of money and grief.

Unlike the eEye advisory, the Microsoft advisory on the IIS 
security hole shows the right balance.  It gives IIS customers 
enough information about the buffer overflow without giving a recipe 
to virus writers of how to exploit it.

Thanks,
Richard M. Smith
CTO, Privacy Foundation
http://www.privacyfoundation.org

Links

Code Red Virus 'Most Expensive in History of Internet' 
http://www.newsfactor.com/perl/story/12668.html

eEye security advisory -- All versions of Microsoft 
IIS Remote buffer overflow (SYSTEM LevelAccess) 
http://www.eeye.com/html/Research/Advisories/AD20010618.html

eEye security advisory -- .ida "Code Red" Worm 
http://www.eeye.com/html/Research/Advisories/AL20010717.html

Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server
Compromise
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/bulletin/MS01-033.asp

Next message: andrew morgan: "Re: Xerox N40 printers and Code Red worm"
Previous message: Joao Gouveia: "Re: Easily and Remotely Pipe a Covert Shell on phpBB version 1.4.0 and below"
Next in thread: aleph1at_private: "Re: Can we afford full disclosure of security holes?"
Reply: aleph1at_private: "Re: Can we afford full disclosure of security holes?"
Reply: Marc Maiffret: "RE: Can we afford full disclosure of security holes?"
Reply: Bill Arbaugh: "Re: Can we afford full disclosure of security holes?"
Reply: Ryan Russell: "Re: Can we afford full disclosure of security holes?"
Reply: bodzincmat_private: "RE: Can we afford full disclosure of security holes?"
Reply: Scott Blake: "Re: Can we afford full disclosure of security holes?"
Reply: antirez: "Re: Can we afford full disclosure of security holes?"
Reply: Alun Jones: "Re: Can we afford full disclosure of security holes?"
Reply: Chris Wolfe: "Re: Can we afford full disclosure of security holes?"
Reply: Guy Helmer: "RE: Can we afford full disclosure of security holes?"
Reply: Randy Taylor: "Re: Can we afford full disclosure of security holes?"
Reply: Scott Blake: "Re: Can we afford full disclosure of security holes?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 12:17:18 PDT