Re: Can we afford full disclosure of security holes?

From: Scott Blake (blakeat_private)
Date: Fri Aug 10 2001 - 13:30:42 PDT

Next message: Daniel Roethlisberger: "Re: ZyXEL Prestige 642R: Exposed Admin Services on WAN with Default Password"

Previous message: Andreas Marx: "Re: SECURITY.NNOV: special devices access in multiple archivers"
In reply to: Richard M. Smith: "Can we afford full disclosure of security holes?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi folks-

We should all consider the following scenario:  Microsoft released their 
bulletin with the "right" amount of information.  Someone with malicious 
intent reverse engineered the patch to determine the source of the problem 
(in violation of the license agreement) and began systematically exploiting 
the security flaw for his/her own nefarious purposes -- installing 
backdoors, stealing credit card numbers, leverage web server access into 
more complete network access, whatever.

There would have been no media hype, probably no coverage at all.  How many 
people would have installed the patch?  Certainly, some administrators are 
very concientious and install all security patches, but how many?  I think 
Microsoft would support the proposition that far more patches were 
downloaded for this issue than most (any?) other.

So we must ask ourselves if the affected servers would be more or less 
secure without full disclosure, indeed, without Code Red.  I submit that 
the answer is that full disclosure and the media hype resulted in *better* 
security because more people installed the patch than would have otherwise. 
Would we have had Code Red without eEye's disclosure?  Probably not, but we 
probably would have the flaw being exploited without anyone's knowledge.

There are many more vulnerabilities disclosed than are widely exploited. 
So many, in fact, that a good case can be made that administrators in 
currently in vulnerability overload.  They have become jaded to the dire 
warnings of those of us in the security community because so often our 
predictions do not come to pass.

The problem is not full disclosure.  The problem is failure to act on 
either the disclosure or the release of the patch.  Whatever solutions we 
suggest must address the problem of patches not being installed.  If 
everyone installed the patch, it wouldn't matter how much information was 
disclosed.  If no one installs the patch, it still doesn't matter how much 
information is disclosed.

Let's think about fixing the right problem.

Scott Blake
Director of Security Strategy
BindView Corporation

PS - Please note that Mr. Smith's argument rests on the premise that 
vulnerabilities will only be exploited if they are disclosed.  Mine rests 
on the premise that vulnerabilities may or may not be exploited if 
disclosed, but that it is prudent to assume that they will be exploited 
even if no fully disclosed.

Next message: Daniel Roethlisberger: "Re: ZyXEL Prestige 642R: Exposed Admin Services on WAN with Default Password"
Previous message: Andreas Marx: "Re: SECURITY.NNOV: special devices access in multiple archivers"
In reply to: Richard M. Smith: "Can we afford full disclosure of security holes?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 19:09:29 PDT