[22193] in bugtraq
Re: Can we afford full disclosure of security holes?
daemon@ATHENA.MIT.EDU (Bill Arbaugh)
Fri Aug 10 19:33:34 2001
Message-Id: <5.1.0.14.0.20010810162911.00ab4920@localhost>
Date: Fri, 10 Aug 2001 16:30:45 -0700
To: rms@privacyfoundation.org (Richard M. Smith),
"BUGTRAQ@SECURITYFOCUS. COM" <BUGTRAQ@securityfocus.com>
From: Bill Arbaugh <waa@cs.umd.edu>
In-Reply-To: <00b001c121c0$a1161160$0f01a8c0@tiac.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 02:39 PM 8/10/2001 -0400, you wrote:
>.....
>Wouldn't it have been much better for eEye to give the details
>of the buffer overflow only to Microsoft? They could have still
>issued a security advisory saying that they found a problem in IIS
>and where to get the Microsoft patch. I realized that a partial
>disclosure policy isn't as sexy as a full disclosure policy, but
>I believe that less revealing eEye advisory would have saved a lot
>companies a lot of money and grief.
>
>Unlike the eEye advisory, the Microsoft advisory on the IIS
>security hole shows the right balance. It gives IIS customers
>enough information about the buffer overflow without giving a recipe
>to virus writers of how to exploit it.
I agree completely with Richard, and I'd like to add more evidence
to support the position. I (in joint work with John McHugh and Bill Fithen)
found that the disclosure of the vulnerability did not lead to a
significant increase
in intrusions. What did lead to a significant increase in the intrusion rates
was the release of an attack script- the automation of the vulnerability. These
conclusions were reached by studying several intrusion sets.
The full paper was published in IEEE Computer in December 2000, and it
can be found at the URL below for those that want to see the details.
http://www.cs.umd.edu/~waa/pubs/Windows_of_Vulnerability.pdf
The bad news is that we also found that the problem of not patching systems
is much much worse than most suspect, i.e. we knew it was bad, but not as
bad as we found.
Bill
