[22205] in bugtraq
Re: Can we afford full disclosure of security holes?
daemon@ATHENA.MIT.EDU (Chris Wolfe)
Fri Aug 10 21:31:44 2001
Message-Id: <4.3.2.7.2.20010810190953.049ba370@qlink.queensu.ca>
Date: Fri, 10 Aug 2001 20:20:02 -0400
To: "BUGTRAQ@SECURITYFOCUS. COM" <BUGTRAQ@securityfocus.com>
From: Chris Wolfe <9cw4@qlink.queensu.ca>
In-Reply-To: <00b001c121c0$a1161160$0f01a8c0@tiac.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
I assume this complaint is regarding eEye's initial advisory, rather than
their later-published analysis of Code Red.
Given the contents of Microsoft's advisory and a decent debugger,
identifying and developing an exploit for the overflow is not overly
difficult. Potentially time-consuming, but not terrible complicated.
Moreover, unless I am misreading the analyses, the original eEye exploit
uses a jump to a header containing a slide to execute code, while RedAlert
jumps to the request body via msvcrt. Hardly closely related approaches. I
would strongly question the assumption that RedAlert and variants were all
based on the code released by eEye.
I would like to thank the folks at eEye for providing full advisories of
security issues. As the one responsible for regression testing around here,
knowing the actual flaws makes it much easier (i.e. possible).
Chris
At 02:39 PM 8/10/01, Richard M. Smith wrote:
>[snip]
>Unlike the eEye advisory, the Microsoft advisory on the IIS
>security hole shows the right balance. It gives IIS customers
>enough information about the buffer overflow without giving a recipe
>to virus writers of how to exploit it.
>
>Thanks,
>Richard M. Smith
>CTO, Privacy Foundation
>http://www.privacyfoundation.org
