RE: Can we afford full disclosure of security holes?

From: bodzincmat_private
Date: Fri Aug 10 2001 - 16:11:02 PDT

Next message: Scott Blake: "Re: Can we afford full disclosure of security holes?"

Previous message: Ryan Russell: "Re: Can we afford full disclosure of security holes?"
Maybe in reply to: Richard M. Smith: "Can we afford full disclosure of security holes?"
Next in thread: Scott Blake: "Re: Can we afford full disclosure of security holes?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

<snip>
Wouldn't it have been much better for eEye to give the details 
of the buffer overflow only to Microsoft?  They could have still 
issued a security advisory saying that they found a problem in IIS 
and where to get the  Microsoft patch.  I realized that a partial 
disclosure policy isn't as sexy as a full disclosure policy, but 
I believe that less revealing eEye advisory would have saved a lot 
companies a lot of money and grief.
</snip?

Fatally flawed thinking, for several reasons:

1) This worm is pretty much a carbon copy of a previous worm released months
ago (one that worked on .htr files).  The patch for the problem was released
long ago and should have already been applied by security-conscious
admins...which says something about the importance of security to most
admins.

2) Vendors - including but not limited to Microsoft - have a history of
quietly burying critical problems that aren't fully released to the public.
Intel initially claimed that the Pentium math bug didn't affect enough
people to merit a fix; Microsoft originally claimed that NTFS was not
vulnerable to file fragmentation; the list continues ad infinitum.  Nothing
is better for the public's interest than full disclosure; it forces
(sometimes painfully) people to confront problems and deal with them.


3) You assume that without eEye's help nobody would have known about this
vulnerability or how to exploit it, and that by keeping quiet the problem
wouldn't exist.  While the guys at eEye are clearly sharper than average,
you are not giving the hacker community nearly enough credit.  Who's to say
that this vulnerability wasn't already being quietly exploited by hackers?
Sure, releasing code may make it easier for script kiddies, but trying to
keep information from the public is "security through obscurity" and we all
know how well that works.

4) Lastly, I believe that eEye didn't release details of their exploit until
a few days after they pointed out the problem and the patch, giving admins a
short but manageable amount of time to fix the problem.

CM

Next message: Scott Blake: "Re: Can we afford full disclosure of security holes?"
Previous message: Ryan Russell: "Re: Can we afford full disclosure of security holes?"
Maybe in reply to: Richard M. Smith: "Can we afford full disclosure of security holes?"
Next in thread: Scott Blake: "Re: Can we afford full disclosure of security holes?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 17:13:29 PDT