I've lurked on forums and watched emails fly by on this subject. In one way, I am shocked that it's still an issue...but hey, IIS admins were warned of Code Red before it came out, and David LeBlanc and Eric Schultz have advocated disabling unnecessary functionality (ida/idq script mappings??) for...what...a year now?

For information security to progress, there must be full, responsible disclosure. This establishes a level playing field, making the information available to all. Admins must also wake up and realize that the script kiddies and crackers have nothing better to do than look for new exploits to be published (if I see one more admin get on an SF list and ask why there's been an increase in NetBIOS scanning during a school vacation, I think I'm going to puke!).

But the key is 'responsible'. Those who discover the vulnerabilities should pursue the issue with academic rigor...seeing advisories from 'experts' with sections like:

"Systems Effected: NT 4 SP5/6a, Win2K, _maybe others_"

...doesnt' really answer the question, does it?

Providing exploit code isn't necessary. Explaining what happens, how systems are effected, how to protect against it, and maybe vulnerability-checking code are all thst is really necessary.

Assuming all else is equal, the real equalizer is going to be the 'responsible' waiting period. What length of time is adequate? What response is adequate? There are several up-and-coming 'security' companies trying to make a name for themsevles that will choose three days instead of a week...all in an effort to get the word out there first and get their organization a little notoriety.

My $0.02. Direct all flames to '/dev/null', and all comments to 'keydet89@yahoo.com'.



[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/20/6964#6964