RE: Can we afford full disclosure of security holes?

["Guy Helmer" <ghelmer () palisadesys com>]

On Friday, August 10, 2001 1:39 PM Richard M. Smith
<rms () privacyfoundation org> wrote:
> The research company Computer Economics is calling Code Red
> the most expensive computer virus in the history of the Internet.
> They put the estimated clean-up bill so far at $2 billion.
> ... [W]as it really
> necessary for eEye Digital Security to release full details
> of the IIS buffer overflow that made the Code Red I and II worms
> possible?  I think the answer is clearly no.
>
> Wouldn't it have been much better for eEye to give the details
> of the buffer overflow only to Microsoft?

History has shown that this approach allows vendors to procrastinate.  As a
result, black hats are free to exploit the vulnerability until the vendor
releases the fix.  Recent disclosures of vulnerabilities without exploit
information have demonstrated that knowledge of the vulnerability often
quickly leads to black hat exploitation of the vulnerability without the
benefit of providing enough information for the white hats to take immediate
protective measures. (E.g., it appeared to me that the recent telnetd
vulnerability in multiple systems was quickly exploited after the
vulnerability was announced but before the white hats even had a copy of the
exploit code.)

However, in the Code Red case, IIRC Microsoft released a fix for the IDA
vulnerability back in mid-June shortly after the eEye disclosure.  All else
aside, Code Red has served as a beneficial wake-up call to everyone to
become more diligent at maintaining their systems.  Code Red has exposed a
lot of problems in a lot of vendor's equipment (HP laser printers, Cisco DSL
routers, etc.) and in the long run this exposure will improve the state of
security on such systems.

> ... I realized that a partial
> disclosure policy isn't as sexy as a full disclosure policy, but
> I believe that less revealing eEye advisory would have saved a lot
> companies a lot of money and grief.

Vendors would save everyone a lot of money and grief by providing better
systems in the first place.  Perfection is impossible, but excellence is
achievable and necessary for vendors who claim high availability and
security (c.f. OpenBSD).  Also, we apparently need an automated update
infrastructure to correct code vulnerabilities for those who pay little or
no attention to the security maintenance aspects of their systems (c.f.
~300000 compromised Windows systems)...

Guy Helmer, Ph.D.
My comments do not represent the position of my employer.