Reining in Exploits
Two security incidents last week have polarized the parties debating the thorny issue of reporting vulnerabilities and exploits, but help may be on the way in the form of an industry group with established protocols.
An ad hoc association of security and general-purpose software vendors headed by Russ Cooper, moderator of the NTBugtraq mailing list and surgeon general at TruSecure Corp., in Reston, Va., is working to establish such an industry group. The panel would formalize the way researchers handle the reporting of new vulnerabilities and would dispense vulnerability and exploit information, first to its members and then to the general public, once patches are available.
Currently, as no such standardized method exists, vulnerabilities and their exploit code are sometimes released to the general public before vendors are notified, greatly enhancing a hackers ability to exploit security holes.
Other groups have attempted this feat with varying degrees of success, most notably the CERT Coordination Center at Carnegie Mellon University, in Pittsburgh. But Cooper said he believes that an industry-led group could significantly reduce the number of attacks against computer networks.
"Its better for everyone if we keep [this data] to ourselves," Cooper said. "Why not keep it amongst the people who are considered responsible security practitioners? Most attackers arent smart enough to write exploits themselves, so they rely on other people to release them."
Cooper has spoken with representatives from Microsoft Corp., Sun Microsystems Inc. and others about his plans and said he hopes to have a final blueprint within two months.
His efforts come at a time when more and more so-called researchers are ignoring the industry practice of notifying and working with the vendor to verify a new vulnerability and holding off on disclosing it until a patch is ready.
Just last week, a company called Sentry Research Labs posted an advisory on the Bugtraq mailing list about a new flaw in Cisco Systems Inc.s Trivial FTP Daemon server, apparently without first notifying Cisco of the problem. Earlier in the week, eEye Digital Security Inc. released a bulletin about a new hole in Microsofts Internet Information Services Web server.
While eEye did wait to release its advisory until a patch was ready, the company has come under fire from security professionals for releasing sample exploit code and providing the exact number of bytes needed to cause the new buffer overflow.
"The release of the exploit code is what causes all of the problems," said William Arbaugh, assistant professor of computer science at the University of Maryland, in College Park. Arbaugh is also the co-author of a paper that analyzes the effect that releasing exploits has on the number of attacks on a given vulnerability. "But theres always someone who will do it, arguing that the bad guys are going to get it anyway," he said.
However, some administrators argue that disclosing vulnerabilities as soon as possible keeps the vendors honest and informs a greater number of people about the problem.
"If no one posted these, how would we ever know about it? The vendors wouldnt tell us," said one security specialist, who asked to remain anonymous.
Vendors, not surprisingly, said they reject this notion and maintain that its in everyones best interests for vulnerability data to be handled carefully.
"It doesnt do any good to tell the whole world, because youre just letting in the people who will exploit it," said Scott Culp, security program manager at Microsoft, in Redmond, Wash. "There should be a code of ethics for security professionals, with an end goal of keeping the users safe."