Bugtraq mailing list archives
Re: Can we afford full disclosure of security holes?
From: Bill Arbaugh <waa () cs umd edu>
Date: Fri, 10 Aug 2001 16:30:45 -0700
At 02:39 PM 8/10/2001 -0400, you wrote:
..... Wouldn't it have been much better for eEye to give the details of the buffer overflow only to Microsoft? They could have still issued a security advisory saying that they found a problem in IIS and where to get the Microsoft patch. I realized that a partial disclosure policy isn't as sexy as a full disclosure policy, but I believe that less revealing eEye advisory would have saved a lot companies a lot of money and grief. Unlike the eEye advisory, the Microsoft advisory on the IIS security hole shows the right balance. It gives IIS customers enough information about the buffer overflow without giving a recipe to virus writers of how to exploit it.
I agree completely with Richard, and I'd like to add more evidence to support the position. I (in joint work with John McHugh and Bill Fithen)found that the disclosure of the vulnerability did not lead to a significant increase
in intrusions. What did lead to a significant increase in the intrusion rates was the release of an attack script- the automation of the vulnerability. These conclusions were reached by studying several intrusion sets. The full paper was published in IEEE Computer in December 2000, and it can be found at the URL below for those that want to see the details. http://www.cs.umd.edu/~waa/pubs/Windows_of_Vulnerability.pdf The bad news is that we also found that the problem of not patching systems is much much worse than most suspect, i.e. we knew it was bad, but not as bad as we found. Bill
Current thread:
- Can we afford full disclosure of security holes? Richard M. Smith (Aug 10)
- RE: Can we afford full disclosure of security holes? Marc Maiffret (Aug 10)
- Re: Can we afford full disclosure of security holes? Bill Arbaugh (Aug 10)
- Re: Can we afford full disclosure of security holes? Ryan Russell (Aug 10)
- Re: Can we afford full disclosure of security holes? Scott Blake (Aug 10)
- Re: Can we afford full disclosure of security holes? antirez (Aug 10)
- Re: Can we afford full disclosure of security holes? Alun Jones (Aug 10)
- RE: Can we afford full disclosure of security holes? Guy Helmer (Aug 10)
- Re: Can we afford full disclosure of security holes? Chris Wolfe (Aug 10)
- Re: Can we afford full disclosure of security holes? Randy Taylor (Aug 10)
- <Possible follow-ups>
- Re: Can we afford full disclosure of security holes? aleph1 (Aug 10)
- Re: Can we afford full disclosure of security holes? Bill Arbaugh (Aug 10)
- RE: Can we afford full disclosure of security holes? bodzincm (Aug 10)
(Thread continues...)