Users login

Create an account »


Users login

Home » Hacking News » Why blame the creators when you can blame someone you know?

Why blame the creators when you can blame someone you know?

by Majik on August 12th, 2001 The damage toll from the Code Red worm has sparked a new debate over what security experts call "full disclosure."

Richard M. Smith, chief technology officer for the Privacy Foundation, today criticized the company that found and publicized the glitch in Microsoft's Internet Information Server (IIS) which led to the creation of the malicious worm and a copy-cat.

"Was it really necessary for eEye Digital Security to release full details of the IIS buffer overflow that made the Code Red I and II worms possible? I think the answer is clearly no," wrote Smith in a message to the Bugtraq security mailing list today.

Eeye published a detailed advisory about the new IIS flaw on June 18, the same day that Microsoft released its own bulletin and a patch to correct the problem. In its description of the problem, Microsoft thanked eEye for working with the company "to protect customers."

On Wednesday, Computer Economics, an information technology cost research firm, put the total economic pricetag of the Code Red worm at more than $2 billion, based on an estimate that 760,000 computers worldwide were infected.

According to Smith, those figures are "total hype." But he said that if eEye had released details about the bug only to the big software company, organizations that use Microsoft's IIS software would have been spared the considerable expense and effort of cleaning up after Code Red.

"One thing is now crystal clear with Code Red: full-disclosure comes with one of hell of a price tag. There has to be a better way," said Smith.

As first reported by Newsbytes, the original Code Red worm was identified on July 17. A second worm, dubbed Code Red II, which preyed on the same vulnerability, began appearing on Aug. 4. The authors of both worms have not been identified.

In a seething rebuttal to Smith's posting, Marc Maiffret, chief hacking officer for eEye, denied that the firm was indirectly responsible for the worm. According to Maiffret, "This sort of ignorance being spread in a public forum is just one of the many things wrong with the security industry."

As proof that withholding security vulnerability information can ultimately hurt computer users, Maiffret pointed to an earlier, related worm released last spring which exploited a different, unpublished vulnerability in IIS but didn't spread widely.

According to a report published Monday in the Wall Street Journal, the worm infected a Department of Energy research laboratory last April. The lab called in the FBI, but the agency reportedly took no action.

Maiffret said Microsoft subsequently released a fix for the flaw as part of a bundle of patches, without publicizing the vulnerability.

"Therefore (intrusion detection system) vendors never had a signature ... If a security company had found the flaw, then there would have been details, signatures made, and IDS systems would have detected the first instance of Code Red," said Maiffret.

Elias Levy, chief technology officer for and editor of the Bugtraq list, agreed that security professionals require technical details to conduct business.

"Without detailed information, how should third-parties develop countermeasures? In essence you are arguing that only the vendor should be capable of fixing the vulnerable software," Levy wrote. "How should authors of vulnerability scanners and intrusion detection systems obtain information to produce new signatures? You may answer that only qualified security vendors should have access to the information. Who qualifies them? Who enforces these rules? What about non-commercial or open source tools?"

Smith, who has also identified numerous bugs in Microsoft products, said he chose not to publish details about how the flaws could be exploited by others.

"How come so few people have ever approached me for the full details? I guess I don't see the same level of demand for full-disclosure as you do," said Smith.

According to estimates from the Computer Emergency Response Team (CERT), a security clearinghouse at Carnegie-Mellon University, more than 150,000 systems were infected by Code Red II within days of its release.

Despite heated discussions of the worm in security forums like Bugtraq, widespread media attention, and computer industry education efforts, tens of thousands of IIS servers remain infected today, according to Marty Lindner, team leader of CERT's incident handling group.

"At this point, our e-mail to administrators of these systems is bouncing. There are thousands of machines out there that are basically running on auto-pilot. It seems like there's no one there listening," said Lindner.

Levy acknowledged that while the disclosure of detailed vulnerability information benefits "security-conscious people," it may also cause short-term harm.

"It hurts people that do not keep up with security, with the hope that it also helps them in the longer term," said Levy.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »