At 02:39 PM 8/10/2001 -0400, you wrote: >..... >Wouldn't it have been much better for eEye to give the details >of the buffer overflow only to Microsoft? They could have still >issued a security advisory saying that they found a problem in IIS >and where to get the Microsoft patch. I realized that a partial >disclosure policy isn't as sexy as a full disclosure policy, but >I believe that less revealing eEye advisory would have saved a lot >companies a lot of money and grief. > >Unlike the eEye advisory, the Microsoft advisory on the IIS >security hole shows the right balance. It gives IIS customers >enough information about the buffer overflow without giving a recipe >to virus writers of how to exploit it. I agree completely with Richard, and I'd like to add more evidence to support the position. I (in joint work with John McHugh and Bill Fithen) found that the disclosure of the vulnerability did not lead to a significant increase in intrusions. What did lead to a significant increase in the intrusion rates was the release of an attack script- the automation of the vulnerability. These conclusions were reached by studying several intrusion sets. The full paper was published in IEEE Computer in December 2000, and it can be found at the URL below for those that want to see the details. http://www.cs.umd.edu/~waa/pubs/Windows_of_Vulnerability.pdf The bad news is that we also found that the problem of not patching systems is much much worse than most suspect, i.e. we knew it was bad, but not as bad as we found. Bill
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 16:33:02 PDT