Three Cheers for Disclosure
A funny thing's been happening on the security mailing lists lately,
and it's got me shaking my head.
Next Generation Security Software (NGSSoftware), has been publishing vulnerability alerts for a couple of years now. It's most notorious for a July 2002 demonstration of the vulnerability in the Microsoft SQL Monitor protocol, a protocol used by SQL servers to discover other SQL servers on the network. That vulnerability, although patched at the time of disclosure, resulted in the SQL Slammer/Sapphire worm in January 2003, considered to be the fastest-spreading worm ever.
After being broadly chastised, NGSSoftware took the position that the details of its discoveries should be held for a period of time after the Microsoft patch was released. Until Slammer, the position was
simply to ensure Microsoft had released a patch prior to disclosure.
I'm not trying to rehash the old disclosure debate; there are many
people who support the entire spectrum of choices regarding disclosure,
from immediate and full to none at all. Instead I'm shaking my head at
the number of people who now seem confused over NGSSoftware's decision
to publish details 90 days after a patch's release.
A spate of detailed disclosures regarding vulnerabilities patched last
fall have been hitting the security mailing lists. They provide far
more details than Microsoft had supplied in its respective Security
Bulletins, and help security folks who feel they need such details.
Still, I've been receiving numerous responses from mailing list
subscribers that these vulnerability notices are simply advertising for
Well, of course they're advertising! That's been part of vulnerability
notices for many years now. But it's unfair to label them as only
advertising, since they are providing the extra, detailed knowledge so
many seem to feel they need. I presume they need these details to write
their own intrusion detection/prevention system (IDS/IPS) signatures
for attacks that may be based on the vulnerability, or they want to
craft their own exploit code to perform vulnerability scans on their
systems. At least that's historically what people say they need those
details for. I've yet to see a single response from anyone applauding
NGSSoftware for releasing these details.
All this makes me wonder just how necessary they really are. I'm not
saying they shouldn't be released, but I am wondering who's using these
details, if not the myriad security professionals on the security
I believe the vast majority rely on others to absorb the details and
transform them into something usable like a new IDS/IPS signature, a
test for a vulnerability scanner or a new best practice; most don't
actually need these details.
This is how the anti-virus industry works. For the most part, companies
keep quiet about the details of the hundreds of new viruses reported
every week, except among those in the industry who create the antivirus
programs used by consumers. If there's a soft underbelly of the
security industry, it's the disclosure of proof-of-concept code to
millions who generally either aren't technically savvy enough to do
anything with it other than run it, or wouldn't run it even if they
could, for fear of the ramifications such a program might have on their
I applaud NGSSoftware's disclosure position, and hope it's emulated
Russ Cooper is a Senior Information Security Analyst with
Cybertrust, Inc., www.cybertrust.com. He's also founder and editor of
NTBugtraq, www.ntbugtraq.com, one of the industry's most influential
mailing lists dedicated to Microsoft security. One of the world's most-
recognized security experts, he's often quoted by major media outlets
on security issues.
Russ Cooper's Security Watch column appears every Monday in the
Redmond magazine/ENT Security Watch e-mail newsletter. Click here to
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.