Microsoft Rallies Industry Against Bug Anarchy

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/01/171173.html

By Brian McWilliams, Newsbytes
REDMOND, WASHINGTON, U.S.A.,
16 Oct 2001, 1:37 PM CST
 
Pushed to the brink by recent Internet worm outbreaks, Microsoft hopes
to rally the computer industry against those who improperly publish
information about security vulnerabilities.

In an editorial at Microsoft's site, Scott Culp, head of the company's
Security Response Center, announced the initiative against what he
called "information anarchy."
 
According to Culp, the damage caused by worms such as Code Red and
Nimda can be blamed in part on computer security professionals who
discovered the software flaws exploited by the malicious,
self-propagating programs.

"The people who wrote (the worms) have been rightly condemned as
criminals. But they needed help to devastate our networks ... It's
high time the security community stopped providing blueprints for
building these weapons," he said.

According to Culp, recent worms have relied on techniques and even
specific software instructions published by security firms in their
advisories about software bugs.

"Clearly, the publication of exploit details about the vulnerabilities
contributed to their use as weapons ... It's simply indefensible for
the security community to continue arming cybercriminals," he said.

Microsoft's editorial is the latest salvo in the debate between
security experts and software vendors over what is called "full
disclosure."

In Microsoft's view, the only prudent policy is to work with vendors
and not disclose vulnerability information to the public until a patch
is available - and then only to disclose enough information so that
administrators can decide whether to apply the fix without being at
risk if they don't.

"This is not a call to stop discussing vulnerabilities. Instead, it is
a call for security professionals to draw a line beyond which we
recognize that we are simply putting other people at risk," said Culp.

To exert economic pressure on security consultants to adopt this
approach, Microsoft recommends that customers ask consultants for
their policy on disclosing information about security bugs they
discover.

Chris Rouland, director of the X-Force team at Information Security
Systems, said the software and consulting firm shares Microsoft's
viewpoint on the dangers of releasing bug exploits.

"We question the ethics and business value of arming individuals with
the ability to break into computers," said Rouland.

John Pescatore, research director for Internet security at Gartner,
agreed that publishing information on how to exploit security bugs is
potentially harmful. But he said Microsoft is dodging its
responsibility to ship products with fewer vulnerabilities.

"The biggest problem system administrators have is not that people are
giving out detailed blueprints on how to attack vulnerabilities; it is
that many of the vulnerabilities that come out in IIS and other
software are so huge that minimally skilled hackers can exploit them
on their own," said Pescatore.

Richard Forno, chief technology officer for Shadowlogic, an
information assurance firm, said software vendors have a vested
interest in keeping vulnerability information private.

"Without such widespread public knowledge and awareness of these
problems, vendors can take their time addressing these concerns, if
they even address them at all. Microsoft is by far the most notorious
in their vulnerability announcements, legalese and cover-their-tail
security alerts," said Forno.

Microsoft's editorial is aimed in part at Eeye Digital Security, the
security software firm that discovered the bug in Microsoft's IIS
Webserver that was exploited by Code Red a month later.

In its June bulletin about the vulnerability, Microsoft thanked eEye
"for reporting this issue to us and working with us to protect
customers." But Culp told Newsbytes today that Microsoft was unhappy
with the detailed information Eeye published about the bug.

"We believe that they provided information in their advisory that was
specific enough to help the people who wrote Code Red," said Culp.

Representatives of Eeye, which never released an exploit for the IDA
vulnerability, were not immediately available for comment.

Discussions by security professionals of eEye's advisory on security
mailing lists such as Bugtraq contained additional information on how
to exploit the so-called "IDA" buffer overflow bug, according to Culp,
who said editors of such lists should consider blocking messages that
contain exploit code.

Besides acknowledgments in its security bulletins, Microsoft plans to
develop additional means of encouraging security professionals to
adopt its limited-disclosure stance.

"It's time for the security community to get on the right side of this
issue," he said.

The editorial on responsible disclosure is at:
http://www.microsoft.com/technet/columns/security/noarch.asp 

Microsoft's policy for acknowledging security professionals in its
bulletins is at:
http://www.microsoft.com/technet/security/bulletin/policy.asp 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.