Windows & .NET Magazine Security UPDATE--August 13, 2003

1. In Focus: The Risks of Sharing Vulnerability Information

by Mark Joseph Edwards, News Editor, mark@ntsecurity.net

As you know, the past few weeks have been full of reports about possible impending attacks on Windows networks across the globe because of the recently discovered remote procedure call (RPC)/Distributed COM (DCOM) security problem. The release of code that attackers could use to exploit unprotected systems intensified those debates.

As I write this commentary, the speculation about a widespread attack is beginning to manifest itself in a new worm, known as Blaster, MBlast, or Lovesan. More than 10,000 systems probably infected with the worm are scanning to discover vulnerable systems. You can read about the worm in "ISC Detects RPC/DCOM Worm," in this edition of Security UPDATE.

At the same time, security professionals continue to debate the issues involved in having available knowledge about security vulnerabilities and having available code that attackers could twist into ready exploits--but the debates haven't reached any consensus. However, maybe this worm will shift the opinions.

A news story I read recently offers food for further thought. Although the story isn't related to computer security, it's related in a general sense to full disclosure and to a key element in determining someone's potential culpability--intent.

A young man (Sherman Austin) has been arrested, charged, and sent to prison for his alleged intentions regarding information to which he linked from his Web site. The Web site he linked to offered bomb-making information. As we know, anyone can obtain such information in the public domain (e.g., in libraries). Apparently, Austin's prosecution (which ended in a plea bargain) wasn't based on his use of "bomb-making" materials but on his linking from his Web site to such material. You can read more \[http://www.eff.org/br/20030807_eff_pr.php\] about the case.

The matter of intent raises interesting questions about full disclosure in the computer security arena. At any given step in the disclosure proceedings, what's the intent of somebody who discloses security vulnerability information--and can that intent be known?

Amid much talk about cyber-terrorism, you hear debates about what kind of security vulnerability information to release, when to release it, and to whom to release it. The blame game is also popular: Some users are blamed for not patching their systems; other users are blamed for providing too much vulnerability information (whether information or code); and vendors are blamed for faults in their products. Because of the widespread use of various OSs, one tiny ripple not handled correctly can cause a tidal wave of problems. The hype about perceived potential damage often compounds the problem.

The RPC/DCOM problem offers a good example of how even the best intentions regarding vulnerability disclosure simply aren't enough. In this instance, those involved in discovering and reporting the problem followed the proposed guidelines of both the Organization for Internet Safety (OIS), which includes the vendor (Microsoft), in handling the vulnerability, subsequent disclosure, and patch provisioning. Even so, the proper process didn't stop people from learning more about the vulnerability and writing code to "demonstrate" the problem.

At the same time that intruders morphed the code into attack tools, the code revealed that the patch didn't work to prevent other aspects of vulnerability. Clearly, having the code available can be a distinct benefit.

Is such code the equivalent of "bomb-making" instructions? Might some people assume that Web site and mailing list operators who support full disclosure have malicious intent? Can a decision for or against full-disclosure ever benefit everyone? I wonder whether Austin's recent conviction offers a precedent that might apply to cyber-security.

In Austin's case, intent is an essential element. Some security researchers wear black hats and some white hats with pride. Still others swap hats in different situations. However, because intent is sometimes difficult if not impossible to know, prosecutors might make assumptions and everyone's rights might be at risk.

If you have comments or predictions about disclosure issues, discerning intent, and the rights involved, I'd like to hear them. Send me an email with your comments.