Bugtraq mailing list archives
Can we afford full disclosure of security holes?
From: rms () privacyfoundation org (Richard M. Smith)
Date: Fri, 10 Aug 2001 14:39:06 -0400
Hello, The research company Computer Economics is calling Code Red the most expensive computer virus in the history of the Internet. They put the estimated clean-up bill so far at $2 billion. I happen to think the $2 billion figure is total hype, but clearly a lot of time and money has been spent cleaning up after Code Red. For the sake of argument, let's say that Computer Economics is off by a factor of one hundred. That still puts the clean-up costs at $20 million. This $20 million figure begs the question was it really necessary for eEye Digital Security to release full details of the IIS buffer overflow that made the Code Red I and II worms possible? I think the answer is clearly no. Wouldn't it have been much better for eEye to give the details of the buffer overflow only to Microsoft? They could have still issued a security advisory saying that they found a problem in IIS and where to get the Microsoft patch. I realized that a partial disclosure policy isn't as sexy as a full disclosure policy, but I believe that less revealing eEye advisory would have saved a lot companies a lot of money and grief. Unlike the eEye advisory, the Microsoft advisory on the IIS security hole shows the right balance. It gives IIS customers enough information about the buffer overflow without giving a recipe to virus writers of how to exploit it. Thanks, Richard M. Smith CTO, Privacy Foundation http://www.privacyfoundation.org Links Code Red Virus 'Most Expensive in History of Internet' http://www.newsfactor.com/perl/story/12668.html eEye security advisory -- All versions of Microsoft IIS Remote buffer overflow (SYSTEM LevelAccess) http://www.eeye.com/html/Research/Advisories/AD20010618.html eEye security advisory -- .ida "Code Red" Worm http://www.eeye.com/html/Research/Advisories/AL20010717.html Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/bulletin/MS01-033.asp
Current thread:
- Can we afford full disclosure of security holes? Richard M. Smith (Aug 10)
- RE: Can we afford full disclosure of security holes? Marc Maiffret (Aug 10)
- Re: Can we afford full disclosure of security holes? Bill Arbaugh (Aug 10)
- Re: Can we afford full disclosure of security holes? Ryan Russell (Aug 10)
- Re: Can we afford full disclosure of security holes? Scott Blake (Aug 10)
- Re: Can we afford full disclosure of security holes? antirez (Aug 10)
- Re: Can we afford full disclosure of security holes? Alun Jones (Aug 10)
- RE: Can we afford full disclosure of security holes? Guy Helmer (Aug 10)
- Re: Can we afford full disclosure of security holes? Chris Wolfe (Aug 10)
- Re: Can we afford full disclosure of security holes? Randy Taylor (Aug 10)
- <Possible follow-ups>
- Re: Can we afford full disclosure of security holes? aleph1 (Aug 10)
(Thread continues...)