Re: Can we afford full disclosure of security holes?

[Alun Jones <alun () texis com>]

At 01:39 PM 8/10/2001, Richard M. Smith wrote:
> For the sake of argument, let's say that Computer Economics
> is off by a factor of one hundred.  That still puts the
> clean-up costs at $20 million.

Divide that by the number of systems that needed to be cleaned up, and you 
come to quite a small number.  Let's say only a hundred thousand systems 
were cleaned up.  That's $200 - a couple of hours' consulting work, perhaps 
less, for each customer.  Since many consultants won't come and visit you 
for any less, and many systems (of all varieties) are run by "admins" who 
wouldn't know how to install a patch, let alone tell if they needed to, I'd 
say that $20 million for as wide-spread a worm as this is (or is claimed to 
be) is getting off rather cheap.

> Wouldn't it have been much better for eEye to give the details
> of the buffer overflow only to Microsoft?  They could have still
> issued a security advisory saying that they found a problem in IIS
> and where to get the  Microsoft patch.  I realized that a partial
> disclosure policy isn't as sexy as a full disclosure policy, but
> I believe that less revealing eEye advisory would have saved a lot
> companies a lot of money and grief.

Sure, eEye needed to make Microsoft the first people to notify - after all, 
if a vendor can come out with a fix, then there's a greater chance that the 
customers will download it.  And who better to fix the software than the 
people who created it?  But as to not disclosing it publicly, that's a 
harder matter.  Microsoft, in particular, has a reputation (whether it 
deserves it or not) for ignoring bug reports until a big stink is made, 
such as that which can be made by publicly exposing the hole.

> Unlike the eEye advisory, the Microsoft advisory on the IIS
> security hole shows the right balance.  It gives IIS customers
> enough information about the buffer overflow without giving a recipe
> to virus writers of how to exploit it.

Unfortunately, because of this, it is impossible to independently verify 
that the hole has, indeed, been fixed (or that it was there to begin 
with).  It is then, also, impossible to tell whether similar holes are 
present, that the vendor didn't think to check for.

As with most other things, of course, the problem comes in determining the 
_degree_ with which to report publicly the holes in software.  For 
instance, posting an exploit that takes, as a parameter, any executable, 
and allows you to upload and run it on the target machine, would be 
thoroughly irresponsible, and no better than releasing a cracking 
toolkit.  Similarly, posting a full description without first making an 
attempt to discuss it with the vendor does not allow the vendor to correct 
mistakes in the report that are obvious to them, and which make the 
reporter look stupid.

Alun.
~~~~

--
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alun () texis com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT.