05.10.1999 There is a new trend in the reporting of security vulnerabilities these days. Many of the problems are being reported by companies that make products to detect these problems. While more people researching the security of products is a good thing, it is certainly having an effect on the free flow of security information. Sometimes this effect is to the detriment of the customers of the product that the flaw exists in.
<P>
If a company makes a product that scans for security problems, they are going to want to add their newly discovered vulnerability to their list of things to scan for. They are probably, depending on the seriousness of the problem they have uncovered, going to want to make the advisory of the problem into a full scale press release that will hype their product. Usually the press release won't really tell you how to find the problem or how to solve it. You are going to need to download their product for that.
<P>
When security problems exist on production servers accessible from the internet, time is critical. Every day that goes by is another day that the server is exposed. How many people know about the problem? Who is actively exploiting it? It is impossible to tell. Good ethical security practice is to tell the people effected quickly, especially if there are steps they can take to mitigate or eliminate the risk themselves.
<P>
The L0pht recently found a problem with Microsoft's IIS 4.0 web server, the showcode problem. It allowed web users to read files anywhere on the web server that the file permissions were set to be world-readable. This turns out to be the case in many web servers that are not locked down properly. The L0pht was surprised at how widespread the problem was. Many high profile e-commerce servers were effected. Many, many corporate web servers were effected.
The research of the problem, which took less than a day, came up with a simple solution. Delete the sample files which made the machine vulnerable. They don't need to be on production servers anyway. We crafted an advisory and gave out the solution.
<P>
When we reported this to Microsoft they said that they had known about the problem for "several weeks". They had been notified by WebTrends about the problem, were researching it, and would issue a Security Bulletin. It didn't seem to be that so complicated an issue that would take several weeks to research. And the fix was simple. Just delete the files. No need to download a hotfix or even tweak the registry. What was taking so long?
<P>
The L0pht released the showcode advisory to Bugtraq, computer industry reporters, and Microsoft on May 7, 1999, 9:30am EST. Later that day, approximately 1:40 pm EST, WebTrends released a press release about the same problem. It spoke of how WebTrends had discovered the problem. The WebTrends press release didn't tell how to detect the problem and had no solution to the problem. Two things that were present in the L0pht advisory. It seemed that you had to download and run their product if you wanted this information.
It makes one wonder if the press release was put out at that particular time because the L0pht had informed the public about the problem first. It makes one wonder why Microsoft kept this problem and easy solution to themselves for several weeks.
<P>
Many crackers keep security vulnerabilities secret so that they can exploit them without worrying about vendor patches or fixes by system administrators. This is looked down upon highly by the security community as totally unethical. Why keep the vulnerabilities secret unless you are going to exploit them, or perhaps trade them for something?
<P>
Now we have software vendors keeping things secret. At least secret for a substantial period of time. Is this the way we want the industry to behave?
This is why full disclosure mailing lists such as Bugtraq and web sites such as Packet Storm Security are so important. They allow customers to get vulnerability reports, and hopefully fixes, in a timely manner. There is no centralized clearinghouse such as the software vendor or some government agency to slow things up for their own ends.
<P>
Vulnerability information is extremely valuable both to attackers and customers. Companies and organizations that release this information openly and as soon as possible are doing the security community a service. Those who choose to use the information for their own purposes first put customers at risk.
