Microsoft decries information 'anarchy'

The software giant wants to clamp down on security firms and hackers who release virus 'blueprints'
Written by Robert Lemos, Contributor

Microsoft, whose software has been at the centre of several recent high-profile security incidents, has decided to turn up the heat on those the company considers at least partially responsible: security firms and hackers who release sample programs to exploit software flaws.

This week, Scott Culp, manager for Microsoft's security response centre, published an essay on the company's site decrying the information and example code released by some companies and independent security consultants as "information anarchy".

Such information led directly to many of this year's most vicious worm attacks, he said.

"It's high time the security community stopped providing the blueprints for building these weapons," Culp wrote in the essay. "And it's high time that computer users insisted that the security community live up to its obligation to protect them."

The essay reopens the debate among security professionals over whether information on software flaws should be kept confidential or freely publicised.

A study done by Microsoft on recent worm attacks--including Ramen, 1i0n, Sadmind, Code Red and Nimda--found that each had been prefaced by the release of so-called exploit code. Such code can be a complete program or just the important pieces that demonstrate how a vulnerability can be exploited by a network attacker.

While some advocates of publishing such code argue that it helps system administrators understand the threat, Culp criticised the exploits as providing too much information.

"The state of affairs today allows even relative novices to build highly destructive (malicious software)," he wrote in the essay. "It's simply indefensible for the security community to continue arming cybercriminals. We can at least raise the bar."

Many in the security community agree.

"There is some value for having details in the advisories," said Chris Wysopal, director of research and development for security firm @Stake, "but not exploit code. If we cut off exploit code, that's a good place to start."

Microsoft intends to force the issue and to call on security experts to draw a line between responsible disclosure and arming people with the tools and software needed to attack computers, said Culp.

"(We) don't purport to have the answer to the problem," he said in a Wednesday interview. "But we believe that these practices are harmful."

Glitches here to stay Culp argues in the essay that software flaws--whether in Windows, Linux or another operating system--are not going to go away.

"While the industry can and should deliver more secure products, it's unrealistic to expect that we will ever achieve perfection," he said.

For Microsoft, that means limiting the frequency of worm epidemics and hacking.

The company's software is most often targeted by such attacks. By some estimates, the Code Red worm infected more than a million Web servers running Microsoft's Internet Information Server software for Web servers. And the recent Nimda worm caused havoc by exploiting holes in both servers and desktop computers running Microsoft software.

The company's software is picked apart regularly by security consultants. While some analyse the software for security's sake, others highlight flaws for publicity and still more do it to tweak the giant's proverbial nose.

By reducing the availability of exploit code, Microsoft could dodge future embarrassments from security incidents.

"There is obviously a huge element of self interest" for Microsoft, said @Stake's Wysopal. "I don't think it disqualifies their argument, though."

See the Viruses and Hacking News Section for the latest headlines.

See the Net Crime News Section for the latest on hacking, fraud, viruses and related issues.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards