<snip> Wouldn't it have been much better for eEye to give the details of the buffer overflow only to Microsoft? They could have still issued a security advisory saying that they found a problem in IIS and where to get the Microsoft patch. I realized that a partial disclosure policy isn't as sexy as a full disclosure policy, but I believe that less revealing eEye advisory would have saved a lot companies a lot of money and grief. </snip? Fatally flawed thinking, for several reasons: 1) This worm is pretty much a carbon copy of a previous worm released months ago (one that worked on .htr files). The patch for the problem was released long ago and should have already been applied by security-conscious admins...which says something about the importance of security to most admins. 2) Vendors - including but not limited to Microsoft - have a history of quietly burying critical problems that aren't fully released to the public. Intel initially claimed that the Pentium math bug didn't affect enough people to merit a fix; Microsoft originally claimed that NTFS was not vulnerable to file fragmentation; the list continues ad infinitum. Nothing is better for the public's interest than full disclosure; it forces (sometimes painfully) people to confront problems and deal with them. 3) You assume that without eEye's help nobody would have known about this vulnerability or how to exploit it, and that by keeping quiet the problem wouldn't exist. While the guys at eEye are clearly sharper than average, you are not giving the hacker community nearly enough credit. Who's to say that this vulnerability wasn't already being quietly exploited by hackers? Sure, releasing code may make it easier for script kiddies, but trying to keep information from the public is "security through obscurity" and we all know how well that works. 4) Lastly, I believe that eEye didn't release details of their exploit until a few days after they pointed out the problem and the patch, giving admins a short but manageable amount of time to fix the problem. CM
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 17:13:29 PDT