[22189] in bugtraq
Can we afford full disclosure of security holes?
daemon@ATHENA.MIT.EDU (Richard M. Smith)
Fri Aug 10 15:18:22 2001
From: rms@privacyfoundation.org (Richard M. Smith)
To: "BUGTRAQ@SECURITYFOCUS. COM" <BUGTRAQ@securityfocus.com>
Date: Fri, 10 Aug 2001 14:39:06 -0400
Message-ID: <00b001c121c0$a1161160$0f01a8c0@tiac.net>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Hello,
The research company Computer Economics is calling Code Red
the most expensive computer virus in the history of the Internet.
They put the estimated clean-up bill so far at $2 billion.
I happen to think the $2 billion figure is total hype,
but clearly a lot of time and money has been spent cleaning up after
Code Red.
For the sake of argument, let's say that Computer Economics
is off by a factor of one hundred. That still puts the
clean-up costs at $20 million.
This $20 million figure begs the question was it really
necessary for eEye Digital Security to release full details
of the IIS buffer overflow that made the Code Red I and II worms
possible? I think the answer is clearly no.
Wouldn't it have been much better for eEye to give the details
of the buffer overflow only to Microsoft? They could have still
issued a security advisory saying that they found a problem in IIS
and where to get the Microsoft patch. I realized that a partial
disclosure policy isn't as sexy as a full disclosure policy, but
I believe that less revealing eEye advisory would have saved a lot
companies a lot of money and grief.
Unlike the eEye advisory, the Microsoft advisory on the IIS
security hole shows the right balance. It gives IIS customers
enough information about the buffer overflow without giving a recipe
to virus writers of how to exploit it.
Thanks,
Richard M. Smith
CTO, Privacy Foundation
http://www.privacyfoundation.org
Links
Code Red Virus 'Most Expensive in History of Internet'
http://www.newsfactor.com/perl/story/12668.html
eEye security advisory -- All versions of Microsoft
IIS Remote buffer overflow (SYSTEM LevelAccess)
http://www.eeye.com/html/Research/Advisories/AD20010618.html
eEye security advisory -- .ida "Code Red" Worm
http://www.eeye.com/html/Research/Advisories/AL20010717.html
Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server
Compromise
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/bulletin/MS01-033.asp
