Microsoft slams 'information anarchy'

Microsoft has attacked the security community for "arming cyber criminals" and helping attackers to devastate networks.

Scott Culp, manager of the Microsoft Security Response Centre, slammed the full disclosure ethic favoured by some security experts as helping to spread "information anarchy".

Commenting on the recent security headaches caused by Code Red and Nimda, Culp said that the authors of such worms "needed help to devastate our networks, and we in the security community gave it to them".

"It's high time the security community stopped providing blueprints for building these weapons. And it's high time computer users insisted that the security community live up to its obligation to protect them. We can and should discuss security vulnerabilities, but we should be smart, prudent and responsible in the way we do it," he added.

The full disclosure ethic used by a number of security experts allows for the publishing of as much information as possible about a vulnerability, sometimes even down to the actual code necessary to exploit the hole.

Some say that this method forces vendors and administrators to confront the problem before it's too late. But others say that it delivers a recipe for disaster right into the hands of malicious hackers.

The alternative, partial disclosure, again practised by a number of security experts, keeps the finer details of an exploit under wraps, at least until the relevant patch is put together and distributed.

Culp described the path of full disclosure as "following a practice that's best described as information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used."

Security firm eEye, which follows the full disclosure ethic, has come under fire in the past for publishing vulnerability information which may have benefited the authors of Code Red.

And Culp is not alone in his view. In a posting to security mailing list BugTraq, Richard Smith, chief technical officer of the Privacy Foundation, said: "Wouldn't it have been much better for eEye to give the details of the buffer overflow only to Microsoft?

"They could have still issued a security advisory saying that they found a problem in IIS and where to get the Microsoft patch. A less revealing eEye advisory would have saved a lot of companies a lot of money and grief."

Although there are obviosly divisions in the security industry over which is the more beneficial method, Eric Chien, chief researcher at Symantec, said the issue is not black and white.

"Full disclosure is beneficial among security professionals, but sometimes not if the information is made public. We don't need to give out blueprints for exploits," he said.

But Ryan Russell, of SecurityFocus.com, reckons that vendors would be tempted to brush vulnerabilities under the carpet.

"Will Microsoft do the right thing if they could cover it up? A few years ago, the answer was no they wouldn't, they would cover it up," he wrote. "Almost every single software vendor has tried to do a cover up or ignore the problem at some point in time."

But the basis of the argument is that the research takes place anyway, and it may be the case that full disclosure warnings such as the eEye advisory showed us a bug nearly a month before the Code Red worm did.