Security Firm Blamed For Code Red Costs

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/01/168934.html

By Brian McWilliams, Newsbytes
ALISO VIEJO, CALIFORNIA, U.S.A.,
10 Aug 2001, 5:11 PM CST
 
The damage toll from the Code Red worm has sparked a new debate over
what security experts call "full disclosure."

Richard M. Smith, chief technology officer for the Privacy Foundation,
today criticized the company that found and publicized the glitch in
Microsoft's Internet Information Server (IIS) which led to the
creation of the malicious worm and a copy-cat.

"Was it really necessary for eEye Digital Security to release full
details of the IIS buffer overflow that made the Code Red I and II
worms possible? I think the answer is clearly no," wrote Smith in a
message to the Bugtraq security mailing list today.

Eeye published a detailed advisory about the new IIS flaw on June 18,
the same day that Microsoft released its own bulletin and a patch to
correct the problem. In its description of the problem, Microsoft
thanked eEye for working with the company "to protect customers."

On Wednesday, Computer Economics, an information technology cost
research firm, put the total economic pricetag of the Code Red worm at
more than $2 billion, based on an estimate that 760,000 computers
worldwide were infected.

According to Smith, those figures are "total hype." But he said that
if eEye had released details about the bug only to the big software
company, organizations that use Microsoft's IIS software would have
been spared the considerable expense and effort of cleaning up after
Code Red.

"One thing is now crystal clear with Code Red: full-disclosure comes
with one of hell of a price tag. There has to be a better way," said
Smith.

As first reported by Newsbytes, the original Code Red worm was
identified on July 17. A second worm, dubbed Code Red II, which preyed
on the same vulnerability, began appearing on Aug. 4. The authors of
both worms have not been identified.

In a seething rebuttal to Smith's posting, Marc Maiffret, chief
hacking officer for eEye, denied that the firm was indirectly
responsible for the worm. According to Maiffret, "This sort of
ignorance being spread in a public forum is just one of the many
things wrong with the security industry."

As proof that withholding security vulnerability information can
ultimately hurt computer users, Maiffret pointed to an earlier,
related worm released last spring which exploited a different,
unpublished vulnerability in IIS but didn't spread widely.

According to a report published Monday in the Wall Street Journal, the
worm infected a Department of Energy research laboratory last April.
The lab called in the FBI, but the agency reportedly took no action.

Maiffret said Microsoft subsequently released a fix for the flaw as
part of a bundle of patches, without publicizing the vulnerability.

"Therefore (intrusion detection system) vendors never had a signature
... If a security company had found the flaw, then there would have
been details, signatures made, and IDS systems would have detected the
first instance of Code Red," said Maiffret.

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.