At 01:39 PM 8/10/2001, Richard M. Smith wrote: >For the sake of argument, let's say that Computer Economics >is off by a factor of one hundred. That still puts the >clean-up costs at $20 million. Divide that by the number of systems that needed to be cleaned up, and you come to quite a small number. Let's say only a hundred thousand systems were cleaned up. That's $200 - a couple of hours' consulting work, perhaps less, for each customer. Since many consultants won't come and visit you for any less, and many systems (of all varieties) are run by "admins" who wouldn't know how to install a patch, let alone tell if they needed to, I'd say that $20 million for as wide-spread a worm as this is (or is claimed to be) is getting off rather cheap. >Wouldn't it have been much better for eEye to give the details >of the buffer overflow only to Microsoft? They could have still >issued a security advisory saying that they found a problem in IIS >and where to get the Microsoft patch. I realized that a partial >disclosure policy isn't as sexy as a full disclosure policy, but >I believe that less revealing eEye advisory would have saved a lot >companies a lot of money and grief. Sure, eEye needed to make Microsoft the first people to notify - after all, if a vendor can come out with a fix, then there's a greater chance that the customers will download it. And who better to fix the software than the people who created it? But as to not disclosing it publicly, that's a harder matter. Microsoft, in particular, has a reputation (whether it deserves it or not) for ignoring bug reports until a big stink is made, such as that which can be made by publicly exposing the hole. >Unlike the eEye advisory, the Microsoft advisory on the IIS >security hole shows the right balance. It gives IIS customers >enough information about the buffer overflow without giving a recipe >to virus writers of how to exploit it. Unfortunately, because of this, it is impossible to independently verify that the hole has, indeed, been fixed (or that it was there to begin with). It is then, also, impossible to tell whether similar holes are present, that the vendor didn't think to check for. As with most other things, of course, the problem comes in determining the _degree_ with which to report publicly the holes in software. For instance, posting an exploit that takes, as a parameter, any executable, and allows you to upload and run it on the target machine, would be thoroughly irresponsible, and no better than releasing a cracking toolkit. Similarly, posting a full description without first making an attempt to discuss it with the vendor does not allow the vendor to correct mistakes in the report that are obvious to them, and which make the reporter look stupid. Alun. ~~~~ -- Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at 1602 Harvest Moon Place | http://www.wftpd.com or email alunat_private Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 17:26:18 PDT