The announcement of a new worm has lead some security experts to question the methods some security companies use to notify the public to potential problems.
The worm that has sparked renewal of the debate has been dubbed "Code Red" by the researchers at eEye Digital Security who discovered it (see New worm attacks MS IIS systems). Many companies adhere to a philosophy called full disclosure, which holds that as much information as possible about vulnerabilities should be made public, including even the publication of tools to attack these flaws. Others in the community, however, say that full disclosure helps no one other than those who would attack systems.
Despite the vulnerability it exploits being more than a month old, the worm is able to spread to so many systems because so few systems administrators apply patches when they become available, says Russ Cooper, surgeon general of TruSecure and editor of the security email list NTBugtraq (which is distinct from BugTraq).
"Fewer than 5% of (any) software users apply any patches at all, that would be my guess," he says. "A very small fraction of people who own IIS are doing anything proactively," he says. Though there are an estimated 6 million IIS systems running web servers worldwide, only 160,000 people subscribe to Microsoft's free security bulletin email service and only 35,000 subscribe to NTBugtraq, he says.
In order to secure systems and help stop these kinds of worms from spreading, systems administrators need to do three things, Cooper says. First, they need to subscribe to Microsoft's security bulletin service, "so that they're at least aware that patches exist. They've got to start learning about these vulnerabilties to keep themselves secure," he says.
Secondly, they ought to subscribe to NTBugtraq and lastly, they need to apply patches for their systems when they become available, Cooper says.
The number of users who have yet to patch their systems indicates that "we did the right thing in handling the vulnerability the way we did," by sending out alerts, contacting customers individually and working with the press, says Scott Culp, security program manager at the Microsoft security response centre.
"We make it as easy as we can for folks to get the information," he says. "We can only make it so easy," after that, customers will have to take some initiative.
One issue that is out of both company and administrator hands, but is nonetheless a serious one, is the publication of tools to attack vulnerabilties, called exploits, NTBugtraq's Cooper says. Many of these exploits are published by bug finders just like eEye Digital Security, he says. EEye has published other exploits in the past, and though the company said it would do the same for the original vulnerability in this case, it never did, according to Marc Maiffret, chief hacking officer at eEye and one the discoverers of the worm. The company did, however, include information about how to exploit the flaw in its original security alert.
EEye has discovered a number of the flaws found in IIS in recent months, partly because they are looking for them. EEye sells a product called SecureIIS designed to heighten the security of systems running IIS. This interest in IIS, along with the publication of exploits by the company, has led to more than a few raised eyebrows in the security community.
Full disclosure is a controversial, but not uncommon, aspect of the security world. As much information as possible about worms and other security flaws should be disclosed, the thinking goes, because it is the best way to make sure that administrators take notice and to spread information to programmers and researchers. However, some security experts, including Cooper, see the practice as dangerous.
"It's a certainty that these things (other attacks) are going to happen in the future as security companies are more determined to prove their skill by producing exploits," he says.
Even though full disclosure companies say they publish exploits for research, development and educational purposes, Cooper says that doesn't matter, equating the publication of exploits with the offering of bomb-making materials online.
To avoid the use of security company-authored exploits in worms and other so-called malware in the future, companies will have to conduct themselves in new ways, he says. There also "needs to be a way to vet security companies and their practices," he says, "for the overall security of the internet."
"Providing information on how to exploit the vulnerability doesn't do anyone any good, except the hackers," says Microsoft's Culp. "that's not the kind of information that ought to be in an advisory."
There is a clear distinction between the kind of information that ought to be in a security bulletin -- the effect of the issue, the conditions it functions under, the measures that can be taken to prevent problems -- and what should not be included, he says.
Microsoft is working with a number of security companies to reach agreement on how to report security flaws, he says. The company is not asking anyone to water-down security advisories, but rather not to provide attack code, he says.
Though admitting that full disclosure is "a sticky subject with people" and saying that Microsoft and eEye have essentially agreed to disagree on the full disclosure point, there are plenty of good reasons to disclose as much information as possible about holes, Maiffret says.
"When you have this information and don't put it out, they are people in the underground who are exploiting it (already)," and without the details companies may not know they're being attacked, he said. "In the real computer underground, you just mention that YXZ has a hole in it, and (attackers will) find it"
Additionally, many intrusion detection systems require full details to create signatures that are able to detect attacks, he says.
As this worm has proved, patches are not always installed as quickly as they should be, he says.
"Seeing (the bulletin) is not always enough to convince (administrators) to apply the patch," either because of management dictates or other reasons, he says. The existence of an exploit "gets the message across," he says, "(it) wakes them up that they need to install the patch."
EEye doesn't plan on changing its full disclosure policies, Maiffret says.
"We are a full disclosure company," he says.
"The full disclosure debate can go on forever," he says "but the fact remains that when the patch comes out you need to get it installed the same day."
And that's likely the one point all security professionals can agree on.