Can we afford full disclosure of security holes?



From: Richard M. Smith
Sent: Friday, August 10, 2001 1:39 PM
To: BUGTRAQ@SECURITYFOCUS. COM
Subject: Can we afford full disclosure of security holes?

Hello,

The research company Computer Economics is calling Code Red 
the most expensive computer virus in the history of the Internet.  
They put the estimated clean-up bill so far at $2 billion.  
I happen to think the $2 billion figure is total hype,
but clearly a lot of time and money has been spent cleaning up after Code Red.

For the sake of argument, let's say that Computer Economics
is off by a factor of one hundred.  That still puts the 
clean-up costs at $20 million.  

This $20 million figure begs the question was it really 
necessary for eEye Digital Security to release full details 
of the IIS buffer overflow that made the Code Red I and II worms 
possible?  I think the answer is clearly no.

Wouldn't it have been much better for eEye to give the details 
of the buffer overflow only to Microsoft?  They could have still 
issued a security advisory saying that they found a problem in IIS 
and where to get the  Microsoft patch.  I realized that a partial 
disclosure policy isn't as sexy as a full disclosure policy, but 
I believe that less revealing eEye advisory would have saved a lot 
companies a lot of money and grief.

Unlike the eEye advisory, the Microsoft advisory on the IIS 
security hole shows the right balance.  It gives IIS customers 
enough information about the buffer overflow without giving a recipe 
to virus writers of how to exploit it.

Thanks,
Richard M. Smith

From: Richard M. Smith  
Sent: Sunday, August 12, 2001 10:17 AM
To: 'BUGTRAQ@SECURITYFOCUS. COM'
Subject: The common sense argument against full disclosure.

Hello,

Thanks for all the replies to my previous Bugtraq message 
entitled "Can we afford full disclosure of security holes?".  

The best answer I got back against full disclosure of security 
holes was in an eEye press release of May 1, 2001 which quoted 
Marc Maiffret:

   http://www.eeye.com/html/press/PR20010501-2.html

   May 1, 2001 - eEye Digital Security Announces 
   Major Vulnerability in Microsoft(R) Windows 2000 
   IIS 5.0 Web Server Software

   "We have shared the exploit with Microsoft to 
   demonstrate the seriousness of our finding. eEye 
   has decided not to release the exploit to the general 
   public given the potential abuse by malicious 
   individuals." 

Most folks that I know who find security holes in products also 
follow this same common sense rule of partial disclosure.  They 
leave out details of a security hole in a public advisory that 
might be used to exploit a security hole by the bad  guys.  They 
use their own good judgment when writing a security advisory where 
to draw the line of providing too much information about a security 
hole that might be misused.  If other security folks do need more 
details about a problem, then this information is typically provided 
privately with an understanding that it needs to be kept confidential.

As an example of over disclosure of information, I think that eEye's 
June 18th advisory on the second IIS buffer overflow error could 
have left out all of the discussion of the EIP smashing.  This 
information primarily benefits the bad guys writing worms and 
Trojan horse and does little to help make IIS systems more secure.  
It is not clear yet if the Code Red author used this eEye information 
on EIP smashing to help produce Code Red.  However even the appearance 
that eEye advisory might have been used to make Code Red possible is 
not good PR given that the EIP smashing information has little or no 
security value.

As an aside, eEye does not appear to follow its own advice.  Over in 
the May 1 advisory for the first IIS buffer overflow they actually 
offer an exploit in the form of a C source file in spite of what the 
May 1 press release says:

   http://www.eeye.com/html/Research/Advisories/AD20010501.html

   Windows 2000 IIS 5.0 Remote buffer overflow 
   vulnerability (Remote SYSTEM Level Access)

   Proof of concept exploit:
   http://www.eeye.com/html/research/Advisories/iishack2000.c 
   This exploit will simply create a file in the root of 
   drive c:\ with instructions on how to patch your vulnerable 
   server. ... We would like to note that eEye Digital Security 
   did provide Microsoft with a working exploit. 

Pretty clearly the eEye May 1 press release and advisory contradict 
each other.  eEye probably needs to get this problem fixed.

BTW, to make one thing very clear, I think that the eEye crew did a 
super job of finding these two IIS buffer overflows and working with 
Microsoft to get them patched.  Their analysis of the Code Red worm 
was also extremely important.  If only Microsoft could do as good of
job of finding these same kinds of problems before shipping products 
like Windows, IIS, Internet Explorer, and Office!

Thanks,
Richard M. Smith