Bugtraq mailing list archives

RE: Can we afford full disclosure of security holes?

From: bodzincm () WellsFargo COM
Date: Fri, 10 Aug 2001 16:11:02 -0700

<snip>
Wouldn't it have been much better for eEye to give the details 
of the buffer overflow only to Microsoft?  They could have still 
issued a security advisory saying that they found a problem in IIS 
and where to get the  Microsoft patch.  I realized that a partial 
disclosure policy isn't as sexy as a full disclosure policy, but 
I believe that less revealing eEye advisory would have saved a lot 
companies a lot of money and grief.
</snip?

Fatally flawed thinking, for several reasons:

1) This worm is pretty much a carbon copy of a previous worm released months
ago (one that worked on .htr files).  The patch for the problem was released
long ago and should have already been applied by security-conscious
admins...which says something about the importance of security to most
admins.

2) Vendors - including but not limited to Microsoft - have a history of
quietly burying critical problems that aren't fully released to the public.
Intel initially claimed that the Pentium math bug didn't affect enough
people to merit a fix; Microsoft originally claimed that NTFS was not
vulnerable to file fragmentation; the list continues ad infinitum.  Nothing
is better for the public's interest than full disclosure; it forces
(sometimes painfully) people to confront problems and deal with them.


3) You assume that without eEye's help nobody would have known about this
vulnerability or how to exploit it, and that by keeping quiet the problem
wouldn't exist.  While the guys at eEye are clearly sharper than average,
you are not giving the hacker community nearly enough credit.  Who's to say
that this vulnerability wasn't already being quietly exploited by hackers?
Sure, releasing code may make it easier for script kiddies, but trying to
keep information from the public is "security through obscurity" and we all
know how well that works.

4) Lastly, I believe that eEye didn't release details of their exploit until
a few days after they pointed out the problem and the patch, giving admins a
short but manageable amount of time to fix the problem.

CM

Current thread:

Re: Can we afford full disclosure of security holes?, (continued)
- Re: Can we afford full disclosure of security holes? Bill Arbaugh (Aug 10)
- Re: Can we afford full disclosure of security holes? Ryan Russell (Aug 10)
- Re: Can we afford full disclosure of security holes? Scott Blake (Aug 10)
- Re: Can we afford full disclosure of security holes? antirez (Aug 10)
- Re: Can we afford full disclosure of security holes? Alun Jones (Aug 10)
- RE: Can we afford full disclosure of security holes? Guy Helmer (Aug 10)
- Re: Can we afford full disclosure of security holes? Chris Wolfe (Aug 10)
- Re: Can we afford full disclosure of security holes? Randy Taylor (Aug 10)
- Re: Can we afford full disclosure of security holes? aleph1 (Aug 10)
  - Re: Can we afford full disclosure of security holes? Bill Arbaugh (Aug 10)
- RE: Can we afford full disclosure of security holes? bodzincm (Aug 10)
- RE: Can we afford full disclosure of security holes? Richard M. Smith (Aug 10)