Bugtraq mailing list archives
Re: Can we afford full disclosure of security holes?
From: Scott Blake <blake () homeport org>
Date: Fri, 10 Aug 2001 16:30:42 -0400
Hi folks-We should all consider the following scenario: Microsoft released their bulletin with the "right" amount of information. Someone with malicious intent reverse engineered the patch to determine the source of the problem (in violation of the license agreement) and began systematically exploiting the security flaw for his/her own nefarious purposes -- installing backdoors, stealing credit card numbers, leverage web server access into more complete network access, whatever.
There would have been no media hype, probably no coverage at all. How many people would have installed the patch? Certainly, some administrators are very concientious and install all security patches, but how many? I think Microsoft would support the proposition that far more patches were downloaded for this issue than most (any?) other.
So we must ask ourselves if the affected servers would be more or less secure without full disclosure, indeed, without Code Red. I submit that the answer is that full disclosure and the media hype resulted in *better* security because more people installed the patch than would have otherwise. Would we have had Code Red without eEye's disclosure? Probably not, but we probably would have the flaw being exploited without anyone's knowledge.
There are many more vulnerabilities disclosed than are widely exploited. So many, in fact, that a good case can be made that administrators in currently in vulnerability overload. They have become jaded to the dire warnings of those of us in the security community because so often our predictions do not come to pass.
The problem is not full disclosure. The problem is failure to act on either the disclosure or the release of the patch. Whatever solutions we suggest must address the problem of patches not being installed. If everyone installed the patch, it wouldn't matter how much information was disclosed. If no one installs the patch, it still doesn't matter how much information is disclosed.
Let's think about fixing the right problem. Scott Blake Director of Security Strategy BindView CorporationPS - Please note that Mr. Smith's argument rests on the premise that vulnerabilities will only be exploited if they are disclosed. Mine rests on the premise that vulnerabilities may or may not be exploited if disclosed, but that it is prudent to assume that they will be exploited even if no fully disclosed.
Current thread:
- Can we afford full disclosure of security holes? Richard M. Smith (Aug 10)
- RE: Can we afford full disclosure of security holes? Marc Maiffret (Aug 10)
- Re: Can we afford full disclosure of security holes? Bill Arbaugh (Aug 10)
- Re: Can we afford full disclosure of security holes? Ryan Russell (Aug 10)
- Re: Can we afford full disclosure of security holes? Scott Blake (Aug 10)
- Re: Can we afford full disclosure of security holes? antirez (Aug 10)
- Re: Can we afford full disclosure of security holes? Alun Jones (Aug 10)
- RE: Can we afford full disclosure of security holes? Guy Helmer (Aug 10)
- Re: Can we afford full disclosure of security holes? Chris Wolfe (Aug 10)
- Re: Can we afford full disclosure of security holes? Randy Taylor (Aug 10)
- <Possible follow-ups>
- Re: Can we afford full disclosure of security holes? aleph1 (Aug 10)
- Re: Can we afford full disclosure of security holes? Bill Arbaugh (Aug 10)
- RE: Can we afford full disclosure of security holes? bodzincm (Aug 10)
- RE: Can we afford full disclosure of security holes? Richard M. Smith (Aug 10)