News

Three Cheers for Disclosure

• By Russ Cooper
• February 01, 2005

Next Generation Security Software (NGSSoftware), has been publishing vulnerability alerts for a couple of years now. It's most notorious for a July 2002 demonstration of the vulnerability in the Microsoft SQL Monitor protocol, a protocol used by SQL servers to discover other SQL servers on the network. That vulnerability, although patched at the time of disclosure, resulted in the SQL Slammer/Sapphire worm in January 2003, considered to be the fastest-spreading worm ever.

After being broadly chastised, NGSSoftware took the position that the details of its discoveries should be held for a period of time after the Microsoft patch was released. Until Slammer, the position was simply to ensure Microsoft had released a patch prior to disclosure.

I'm not trying to rehash the old disclosure debate; there are many people who support the entire spectrum of choices regarding disclosure, from immediate and full to none at all. Instead I'm shaking my head at the number of people who now seem confused over NGSSoftware's decision to publish details 90 days after a patch's release.

A spate of detailed disclosures regarding vulnerabilities patched last fall have been hitting the security mailing lists. They provide far more details than Microsoft had supplied in its respective Security Bulletins, and help security folks who feel they need such details. Still, I've been receiving numerous responses from mailing list subscribers that these vulnerability notices are simply advertising for NGSSoftware.

Well, of course they're advertising! That's been part of vulnerability notices for many years now. But it's unfair to label them as only advertising, since they are providing the extra, detailed knowledge so many seem to feel they need. I presume they need these details to write their own intrusion detection/prevention system (IDS/IPS) signatures for attacks that may be based on the vulnerability, or they want to craft their own exploit code to perform vulnerability scans on their systems. At least that's historically what people say they need those details for. I've yet to see a single response from anyone applauding NGSSoftware for releasing these details.

All this makes me wonder just how necessary they really are. I'm not saying they shouldn't be released, but I am wondering who's using these details, if not the myriad security professionals on the security mailing lists.

I believe the vast majority rely on others to absorb the details and transform them into something usable like a new IDS/IPS signature, a test for a vulnerability scanner or a new best practice; most don't actually need these details.

This is how the anti-virus industry works. For the most part, companies keep quiet about the details of the hundreds of new viruses reported every week, except among those in the industry who create the antivirus programs used by consumers. If there's a soft underbelly of the security industry, it's the disclosure of proof-of-concept code to millions who generally either aren't technically savvy enough to do anything with it other than run it, or wouldn't run it even if they could, for fear of the ramifications such a program might have on their production environment.

I applaud NGSSoftware's disclosure position, and hope it's emulated more often.

Russ Cooper is a Senior Information Security Analyst with Cybertrust, Inc., www.cybertrust.com. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most- recognized security experts, he's often quoted by major media outlets on security issues.

Russ Cooper's Security Watch column appears every Monday in the Redmond magazine/ENT Security Watch e-mail newsletter. Click here to subscribe.