Slashdot Mirror

← Back to Stories (view on slashdot.org)

On The Costs of Full Security Disclosure

Posted by ryuzaki0 on from the how-much-is-too-much dept.

sasha328 writes "I found reference to this email on the LWN.NET site which was sent to the SecurityFocus mailing list. It asks a very valid question about how much you can disclose before malicious virii can be possible."

3 of 269 comments (clear)

  1. More info by GeorgeH · · Score: 5, Informative

    There was an interesting post about this on the Politech list, which includes a response from Elias Levy (the guy who runs BUGTRAQ).

    --
    Why can't I moderate something "Wrong" or at least "Grossly Misinformed"?
  2. Past history can tell by jsse · · Score: 5, Informative

    Wouldn't it have been much better for eEye to give the details of the buffer overflow only to Microsoft?

    That is based on the assumption that Microsoft would take immediate action for the benefit of the society.

    Ok, take a look at this:
    The update, which amounts to a point release for both IIS 4 and IIS 5, also addresses five previously undisclosed vulnerabilities with IIS, which could result in either denial of service or privilege elevation.

    Five undisclosed vulnerabilities! Smart crackers might have enjoyed exploiting them for months!

    When would Microsoft disclosed fixes of those vulnerabilities? Next Service Patch? Does it mean they wouldn't be fixed if not for this CR instance?

    How could you rely on a group of people whose actions are unaccountable?

    Ok, you can mod me troll now if you don't like I speak ill of Microsoft.

  3. Re:My problem with this. by WNight · · Score: 4, Informative

    Actually, patching your server is one of the worst things you can do, if you aren't careful.

    It depends on the OS, the severity, the size of the fix, and how easy it is to block in another way.

    For an open source OS, with a simple fix, where you can look at it and be reasonably sure the patch is secure, go for it if the bug is serious.

    For a closed-source OS, or a really complex patch, don't apply it until you've seen reports from people who do (give it a month or two) unless it's a huge bug and you can't block it with another method.

    For example, some bugs would be port 139 overflows. Don't just patch Windows, firewall port 139 from the outside world.

    Another example, Code Red... Use a filtering proxy/firewall to dump any port-80 traffic that requests "default.ida"

    Keep in mind that patches aren't tested very well, simply because of the urgency of releasing them. I wouldn't trust an alpha-kernel on my servers, why would I try a webserver with an alpha patch?

    This is especially important if you're working with a Microsoft system. They'd got a lot of history of releasing buggy service packs that can't be properly rolled back, etc.

    THis is why full-disclosure is *essential*. Compotent admins can implement their own fixes while they wait for something official (and tested) to be developed.

    Imagine if Code Red was describes only as a buffer overflow... It wouldn't be possible to protect yourself from it.