Re: Can we afford full disclosure of security holes?

[Bill Arbaugh <waa () cs umd edu>]

At 02:39 PM 8/10/2001 -0400, you wrote:
> .....
> Wouldn't it have been much better for eEye to give the details
> of the buffer overflow only to Microsoft?  They could have still
> issued a security advisory saying that they found a problem in IIS
> and where to get the  Microsoft patch.  I realized that a partial
> disclosure policy isn't as sexy as a full disclosure policy, but
> I believe that less revealing eEye advisory would have saved a lot
> companies a lot of money and grief.
>
> Unlike the eEye advisory, the Microsoft advisory on the IIS
> security hole shows the right balance.  It gives IIS customers
> enough information about the buffer overflow without giving a recipe
> to virus writers of how to exploit it.

I agree completely with Richard, and I'd like to add more evidence
to support the position. I (in joint work with John McHugh and Bill Fithen)
found that the disclosure of the vulnerability did not lead to a 
significant increase
in intrusions. What did lead to a significant increase in the intrusion rates
was the release of an attack script- the automation of the vulnerability. These
conclusions were reached by studying several intrusion sets.

The full paper was published in IEEE Computer in December 2000, and it
can be found at the URL below for those that want to see the details.

http://www.cs.umd.edu/~waa/pubs/Windows_of_Vulnerability.pdf

The bad news is that we also found that the problem of not patching systems
is much much worse than most suspect, i.e. we knew it was bad, but not as
bad as we found.

Bill