From: rms@privacyfoundation.org (Richard M. Smith) To: "BUGTRAQ@SECURITYFOCUS. COM" <BUGTRAQ@SECURITYFOCUS.COM> Subject: Can we afford full disclosure of security holes? Date: Fri, 10 Aug 2001 14:39:06 -0400 Hello, The research company Computer Economics is calling Code Red the most expensive computer virus in the history of the Internet. They put the estimated clean-up bill so far at $2 billion. I happen to think the $2 billion figure is total hype, but clearly a lot of time and money has been spent cleaning up after Code Red. For the sake of argument, let's say that Computer Economics is off by a factor of one hundred. That still puts the clean-up costs at $20 million. This $20 million figure begs the question was it really necessary for eEye Digital Security to release full details of the IIS buffer overflow that made the Code Red I and II worms possible? I think the answer is clearly no. Wouldn't it have been much better for eEye to give the details of the buffer overflow only to Microsoft? They could have still issued a security advisory saying that they found a problem in IIS and where to get the Microsoft patch. I realized that a partial disclosure policy isn't as sexy as a full disclosure policy, but I believe that less revealing eEye advisory would have saved a lot companies a lot of money and grief. Unlike the eEye advisory, the Microsoft advisory on the IIS security hole shows the right balance. It gives IIS customers enough information about the buffer overflow without giving a recipe to virus writers of how to exploit it. Thanks, Richard M. Smith CTO, Privacy Foundation http://www.privacyfoundation.org Links Code Red Virus 'Most Expensive in History of Internet' http://www.newsfactor.com/perl/story/12668.html eEye security advisory -- All versions of Microsoft IIS Remote buffer overflow (SYSTEM LevelAccess) http://www.eeye.com/html/Research/Advisories/AD20010618.html eEye security advisory -- .ida "Code Red" Worm http://www.eeye.com/html/Research/Advisories/AL20010717.html Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/bulletin/MS01-033.asp