On Friday, August 10, 2001 1:39 PM Richard M. Smith <rmsat_private> wrote: > The research company Computer Economics is calling Code Red > the most expensive computer virus in the history of the Internet. > They put the estimated clean-up bill so far at $2 billion. > ... [W]as it really > necessary for eEye Digital Security to release full details > of the IIS buffer overflow that made the Code Red I and II worms > possible? I think the answer is clearly no. > > Wouldn't it have been much better for eEye to give the details > of the buffer overflow only to Microsoft? History has shown that this approach allows vendors to procrastinate. As a result, black hats are free to exploit the vulnerability until the vendor releases the fix. Recent disclosures of vulnerabilities without exploit information have demonstrated that knowledge of the vulnerability often quickly leads to black hat exploitation of the vulnerability without the benefit of providing enough information for the white hats to take immediate protective measures. (E.g., it appeared to me that the recent telnetd vulnerability in multiple systems was quickly exploited after the vulnerability was announced but before the white hats even had a copy of the exploit code.) However, in the Code Red case, IIRC Microsoft released a fix for the IDA vulnerability back in mid-June shortly after the eEye disclosure. All else aside, Code Red has served as a beneficial wake-up call to everyone to become more diligent at maintaining their systems. Code Red has exposed a lot of problems in a lot of vendor's equipment (HP laser printers, Cisco DSL routers, etc.) and in the long run this exposure will improve the state of security on such systems. > ... I realized that a partial > disclosure policy isn't as sexy as a full disclosure policy, but > I believe that less revealing eEye advisory would have saved a lot > companies a lot of money and grief. Vendors would save everyone a lot of money and grief by providing better systems in the first place. Perfection is impossible, but excellence is achievable and necessary for vendors who claim high availability and security (c.f. OpenBSD). Also, we apparently need an automated update infrastructure to correct code vulnerabilities for those who pay little or no attention to the security maintenance aspects of their systems (c.f. ~300000 compromised Windows systems)... Guy Helmer, Ph.D. My comments do not represent the position of my employer.
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 18:16:50 PDT