Three Cheers for Disclosure
Here's to NGSSoftware for their commitment to detail.
A funny thing's been happening on the security mailing lists lately, and it's
got me shaking my head.
Next Generation Security Software
(NGSSoftware) has been publishing vulnerability alerts for a couple of years
now. It's most notorious for a July 2002 demonstration of the vulnerability
in the Microsoft SQL Monitor protocol, a protocol
used by SQL servers to discover other SQL servers on the network. That vulnerability,
although patched at the time of disclosure, resulted in the SQL
Slammer/Sapphire worm in January 2003, considered to be the fastest-spreading
After being broadly chastised, NGSSoftware took the position that the details
of its discoveries should be held for a period of time after the Microsoft patch
was released. Until Slammer, the position was simply to ensure Microsoft had
released a patch prior to disclosure.
I'm not trying to rehash the old disclosure debate; there are many people who
support the entire spectrum of choices regarding disclosure, from immediate
and full to none at all. Instead I'm shaking my head at the number of people
who now seem confused over NGSSoftware's decision to publish details 90 days
after a patch's release.
A spate of detailed disclosures regarding vulnerabilities patched last fall
have been hitting the security mailing lists. They provide far more details
than Microsoft had supplied in its respective Security Bulletins,
and help security folks who feel they need such details. Still, I've been receiving
numerous responses from mailing list subscribers that these vulnerability notices
are simply advertising for NGSSoftware.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
Well, of course they're advertising! That's been part of vulnerability notices
for many years now. But it's unfair to label them as only advertising, since
they are providing the extra, detailed knowledge so many seem to feel they need.
I presume they need these details to write their own intrusion
detection/prevention system (IDS/IPS) signatures for attacks that may
be based on the vulnerability, or they want to craft their own exploit code
to perform vulnerability scans on their systems. At least that's historically
what people say they need those details for. I've yet to see a single response
from anyone applauding NGSSoftware for releasing these details.
All this makes me wonder just how necessary they really are. I'm not saying
they shouldn't be released, but I am wondering who's using these details, if
not the myriad security professionals on the security mailing lists.
I believe the vast majority rely on others to absorb the details and transform
them into something usable like a new IDS/IPS signature, a test for a vulnerability
scanner or a new best practice; most don't actually need these details.
This is how the antivirus industry works. For the most part, companies keep
quiet about the details of the hundreds of new viruses reported every week,
except among those in the industry who create the antivirus programs used by
consumers. If there's a soft underbelly of the security industry, it's the disclosure
of proof-of-concept code to millions who generally either aren't technically
savvy enough to do anything with it other than run it, or wouldn't run it even
if they could, for fear of the ramifications such a program might have on their
I applaud NGSSoftware's disclosure position, and hope it's emulated more often.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.