Re: Can we afford full disclosure of security holes?

[Chris Wolfe <9cw4 () qlink queensu ca>]

I assume this complaint is regarding eEye's initial advisory, rather than 
their later-published analysis of Code Red.

Given the contents of Microsoft's advisory and a decent debugger, 
identifying and developing an exploit for the overflow is not overly 
difficult. Potentially time-consuming, but not terrible complicated.

Moreover, unless I am misreading the analyses, the original eEye exploit 
uses a jump to a header containing a slide to execute code, while RedAlert 
jumps to the request body via msvcrt. Hardly closely related approaches. I 
would strongly question the assumption that RedAlert and variants were all 
based on the code released by eEye.

I would like to thank the folks at eEye for providing full advisories of 
security issues. As the one responsible for regression testing around here, 
knowing the actual flaws makes it much easier (i.e. possible).

Chris

At 02:39 PM 8/10/01, Richard M. Smith wrote:
> [snip]
> Unlike the eEye advisory, the Microsoft advisory on the IIS
> security hole shows the right balance.  It gives IIS customers
> enough information about the buffer overflow without giving a recipe
> to virus writers of how to exploit it.
>
> Thanks,
> Richard M. Smith
> CTO, Privacy Foundation
> http://www.privacyfoundation.org