Can we afford full disclosure of security holes?
From: Richard M. Smith
Sent: Friday, August 10, 2001 1:39 PM
To: BUGTRAQ@SECURITYFOCUS. COM
Subject: Can we afford full disclosure of security holes?
The research company Computer Economics is calling Code Red
the most expensive computer virus in the history of the Internet.
They put the estimated clean-up bill so far at $2 billion.
I happen to think the $2 billion figure is total hype,
but clearly a lot of time and money has been spent cleaning up after Code Red.
For the sake of argument, let's say that Computer Economics
is off by a factor of one hundred. That still puts the
clean-up costs at $20 million.
This $20 million figure begs the question was it really
necessary for eEye Digital Security to release full details
of the IIS buffer overflow that made the Code Red I and II worms
possible? I think the answer is clearly no.
Wouldn't it have been much better for eEye to give the details
of the buffer overflow only to Microsoft? They could have still
issued a security advisory saying that they found a problem in IIS
and where to get the Microsoft patch. I realized that a partial
disclosure policy isn't as sexy as a full disclosure policy, but
I believe that less revealing eEye advisory would have saved a lot
companies a lot of money and grief.
Unlike the eEye advisory, the Microsoft advisory on the IIS
security hole shows the right balance. It gives IIS customers
enough information about the buffer overflow without giving a recipe
to virus writers of how to exploit it.
Richard M. Smith
From: Richard M. Smith
Sent: Sunday, August 12, 2001 10:17 AM
To: 'BUGTRAQ@SECURITYFOCUS. COM'
Subject: The common sense argument against full disclosure.
Thanks for all the replies to my previous Bugtraq message
entitled "Can we afford full disclosure of security holes?".
The best answer I got back against full disclosure of security
holes was in an eEye press release of May 1, 2001 which quoted
May 1, 2001 - eEye Digital Security Announces
Major Vulnerability in Microsoft(R) Windows 2000
IIS 5.0 Web Server Software
"We have shared the exploit with Microsoft to
demonstrate the seriousness of our finding. eEye
has decided not to release the exploit to the general
public given the potential abuse by malicious
Most folks that I know who find security holes in products also
follow this same common sense rule of partial disclosure. They
leave out details of a security hole in a public advisory that
might be used to exploit a security hole by the bad guys. They
use their own good judgment when writing a security advisory where
to draw the line of providing too much information about a security
hole that might be misused. If other security folks do need more
details about a problem, then this information is typically provided
privately with an understanding that it needs to be kept confidential.
As an example of over disclosure of information, I think that eEye's
June 18th advisory on the second IIS buffer overflow error could
have left out all of the discussion of the EIP smashing. This
information primarily benefits the bad guys writing worms and
Trojan horse and does little to help make IIS systems more secure.
It is not clear yet if the Code Red author used this eEye information
on EIP smashing to help produce Code Red. However even the appearance
that eEye advisory might have been used to make Code Red possible is
not good PR given that the EIP smashing information has little or no
As an aside, eEye does not appear to follow its own advice. Over in
the May 1 advisory for the first IIS buffer overflow they actually
offer an exploit in the form of a C source file in spite of what the
May 1 press release says:
Windows 2000 IIS 5.0 Remote buffer overflow
vulnerability (Remote SYSTEM Level Access)
Proof of concept exploit:
This exploit will simply create a file in the root of
drive c:\ with instructions on how to patch your vulnerable
server. ... We would like to note that eEye Digital Security
did provide Microsoft with a working exploit.
Pretty clearly the eEye May 1 press release and advisory contradict
each other. eEye probably needs to get this problem fixed.
BTW, to make one thing very clear, I think that the eEye crew did a
super job of finding these two IIS buffer overflows and working with
Microsoft to get them patched. Their analysis of the Code Red worm
was also extremely important. If only Microsoft could do as good of
job of finding these same kinds of problems before shipping products
like Windows, IIS, Internet Explorer, and Office!
Richard M. Smith