Users login

Create an account »


Users login

Home » Hacking News » Microsoft wants hackers to stop posting exploit code.

Microsoft wants hackers to stop posting exploit code.

by Majik on October 18th, 2001 Microsoft, whose software has been at the center of several recent high-profile security incidents, has decided to turn up the heat on those the company considers at least partially responsible: security firms and hackers who release sample programs to exploit software flaws.

This week, Scott Culp, manager for Microsoft's security response center, published an essay on the company's site decrying the information and example code released by some companies and independent security consultants as "information anarchy."

Such information led directly to many of this year's most vicious worm attacks, he said.

"It's high time the security community stopped providing the blueprints for building these weapons," Culp wrote in the essay. "And it's high time that computer users insisted that the security community live up to its obligation to protect them."

The essay reopens the debate among security professionals over whether information on software flaws should be kept confidential or freely publicized.

A study done by Microsoft on recent worm attacks--including Ramen, 1i0n, Sadmind, Code Red and Nimda--found that each had been prefaced by the release of so-called exploit code. Such code can be a complete program or just the important pieces that demonstrate how a vulnerability can be exploited by a network attacker.

While some advocates of publishing such code argue that it helps system administrators understand the threat, Culp criticized the exploits as providing too much information.

"The state of affairs today allows even relative novices to build highly destructive (malicious software)," he wrote in the essay. "It's simply indefensible for the security community to continue arming cyber criminals. We can at least raise the bar."

Many in the security community agree.

"There is some value for having details in the advisories," said Chris Wysopal, director of research and development for security firm @Stake, "but not exploit code. If we cut off exploit code, that's a good place to start."

Microsoft intends to force the issue and to call on security experts to draw a line between responsible disclosure and arming people with the tools and software needed to attack computers, said Culp.

"(We) don't purport to have the answer to the problem," he said in a Wednesday interview. "But we believe that these practices are harmful."

Culp argues in the essay that software flaws--whether in Windows, Linux or another operating system--are not going to go away.

"While the industry can and should deliver more secure products, it's unrealistic to expect that we will ever achieve perfection," he said.

For Microsoft, that means limiting the frequency of worm epidemics and hacking.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »