How Much Hack Info Is Too Much?

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/infostructure/0,1377,56463,00.html

By Michelle Delio
Nov. 19, 2002

To disclose or not disclose -- it's a question that's been under heavy
discussion in the computer security industry over the past year.

U.S. cybersecurity director Richard Clarke and virtually all software
companies insist that software vendors should have a chance to fix
problems before security researchers disclose them publicly.

Researchers counter that without full disclosure, companies often fail
to swiftly patch security holes. Full disclosure, in theory, also
alerts computer users to problems that are already known to malicious
hackers, who often exploit holes before patches become available.

But a recent post on security news mailing list BugTraq has infuriated
some who normally favor full disclosure.

The post details how a bit of programming code embedded in a Web page
can reformat site visitors' hard drives, deleting all files stored on
the affected drive. The exploit affects users running Microsoft
Internet Explorer browser versions 5.5 or 6.0.

"Even if you are in favor of full disclosure, that post falls far
outside of the accepted parameters for a public forum," said security
expert Richard Smith. "I don't understand how publishing this kind of
malicious code increases security. Symantec (which hosts the
SecurityFocus website and BugTraq mailing list) is just helping out
the script kiddies.

"BugTraq is a moderated list, so it has the choice of what messages
are sent out to the list and which ones are rejected," Smith added.  
"Why wasn't this message rejected?"

Symantec spokeswoman Genevieve Haldeman said the vulnerability was
approved for posting on Bugtraq.

"The vulnerability is well-known within the security community and the
information posted on Bugtraq was information that had been copied or
linked from other public forums," Haldeman said. "This particular
exploit has the potential to cause tremendous damage to systems, and
security experts need to be aware that this vulnerability is being
exploited in the wild to cause damage."

Haldeman added that Symantec maintains Bugtraq for the security
community as an independent entity under the SecurityFocus brand.

The site's purpose is to foster objective reporting by security
experts on the latest tech threats and attacks. Appropriate content
would include "specific exploit programs, scripts or detailed
processes about security vulnerabilities," Haldeman said.

"It is critical to maintain the integrity of the community. We believe
that its current disclosure policy is appropriate for the venue,"  
Haldeman said of Bugtraq. "Symantec operates with a separate
disclosure policy for vulnerabilities found by our customers or
researchers."

Smith disagreed.

"Showing people how to automatically format hard disks from a Web page
isn't 'full disclosure,'" Smith said. "It is malicious code writing.  
To an outsider, Symantec's actions give the impression that they are
encouraging people to create and release malicious code. Given that
Symantec also sells security and antivirus software, I think there is
a terrible conflict of interest here."

The exploit in question was originally discovered by security
researcher Andreas Sandblad earlier in November.

Since Sandblad published his report, several exploits -- which have
been demonstrated on a half-dozen or more websites -- have been
developed. Most of the published exploits did no damage to a user's
computer, but demonstrated how it was possible to control the affected
computer remotely.

Other security experts said publishing the hard-drive exploit was a
double-edged sword.

"The new information enabled me to add to some rudimentary precautions
I'd taken previously based on earlier information," said Gary Flynn, a
security engineer at James Madison University. "But, of course, it
also made it easier for others to take advantage of the situation."

Flynn has posted a Web page documenting the problem and offering
possible workarounds.

A Microsoft spokeswoman said the Microsoft Security Response Center
investigated the security hole as soon as it was reported.

Some of the possible ways to exploit the hole have already been
addressed in security patches, the spokeswoman said, but added that
Microsoft is "investigating the issues discussed in the report, and
examining whether there are future changes we could make to provide
additional defense in-depth."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.