[22200] in bugtraq
Re: Can we afford full disclosure of security holes?
daemon@ATHENA.MIT.EDU (Alun Jones)
Fri Aug 10 20:38:57 2001
Message-Id: <4.3.2.7.2.20010810143206.02928e90@mail.io.com>
Date: Fri, 10 Aug 2001 14:53:07 -0500
To: rms@privacyfoundation.org (Richard M. Smith)
From: Alun Jones <alun@texis.com>
Cc: "BUGTRAQ@SECURITYFOCUS. COM" <BUGTRAQ@securityfocus.com>
In-Reply-To: <00b001c121c0$a1161160$0f01a8c0@tiac.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 01:39 PM 8/10/2001, Richard M. Smith wrote:
>For the sake of argument, let's say that Computer Economics
>is off by a factor of one hundred. That still puts the
>clean-up costs at $20 million.
Divide that by the number of systems that needed to be cleaned up, and you
come to quite a small number. Let's say only a hundred thousand systems
were cleaned up. That's $200 - a couple of hours' consulting work, perhaps
less, for each customer. Since many consultants won't come and visit you
for any less, and many systems (of all varieties) are run by "admins" who
wouldn't know how to install a patch, let alone tell if they needed to, I'd
say that $20 million for as wide-spread a worm as this is (or is claimed to
be) is getting off rather cheap.
>Wouldn't it have been much better for eEye to give the details
>of the buffer overflow only to Microsoft? They could have still
>issued a security advisory saying that they found a problem in IIS
>and where to get the Microsoft patch. I realized that a partial
>disclosure policy isn't as sexy as a full disclosure policy, but
>I believe that less revealing eEye advisory would have saved a lot
>companies a lot of money and grief.
Sure, eEye needed to make Microsoft the first people to notify - after all,
if a vendor can come out with a fix, then there's a greater chance that the
customers will download it. And who better to fix the software than the
people who created it? But as to not disclosing it publicly, that's a
harder matter. Microsoft, in particular, has a reputation (whether it
deserves it or not) for ignoring bug reports until a big stink is made,
such as that which can be made by publicly exposing the hole.
>Unlike the eEye advisory, the Microsoft advisory on the IIS
>security hole shows the right balance. It gives IIS customers
>enough information about the buffer overflow without giving a recipe
>to virus writers of how to exploit it.
Unfortunately, because of this, it is impossible to independently verify
that the hole has, indeed, been fixed (or that it was there to begin
with). It is then, also, impossible to tell whether similar holes are
present, that the vendor didn't think to check for.
As with most other things, of course, the problem comes in determining the
_degree_ with which to report publicly the holes in software. For
instance, posting an exploit that takes, as a parameter, any executable,
and allows you to upload and run it on the target machine, would be
thoroughly irresponsible, and no better than releasing a cracking
toolkit. Similarly, posting a full description without first making an
attempt to discuss it with the vendor does not allow the vendor to correct
mistakes in the report that are obvious to them, and which make the
reporter look stupid.
Alun.
~~~~
--
Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to
Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.
