Security pros set up defence front

Two security incidents last week have polarised the parties debating the thorny issue of reporting vulnerabilities and exploits, but help may be on the way in the form of an industry group with established protocols.

An ad hoc association of security and general-purpose software vendors headed by Russ Cooper, moderator of the NTBugtraq mailing list and surgeon general at TruSecure, in Virginia, is working to establish such an industry group. The panel would formalise the way researchers handle the reporting of new vulnerabilities and would dispense vulnerability and exploit information, first to its members and then to the general public, once patches are available.

Currently, as no such standardised method exists, vulnerabilities and their exploit code are sometimes released to the general public before vendors are notified, greatly enhancing a hacker's ability to exploit security holes.

Other groups have attempted this feat with varying degrees of success, most notably the CERT Coordination Center at Carnegie Mellon University, in Pittsburgh. But Cooper said he believes that an industry-led group could significantly reduce the number of attacks against computer networks.

"It's better for everyone if we keep [this data] to ourselves," Cooper said. "Why not keep it amongst the people who are considered responsible security practitioners? Most attackers aren't smart enough to write exploits themselves, so they rely on other people to release them."

Cooper has spoken with representatives from Microsoft, Sun Microsystems and others about his plans and said he hopes to have a final blueprint within two months.

His efforts come at a time when more and more so-called researchers are ignoring the industry practice of notifying and working with the vendor to verify a new vulnerability and holding off on disclosing it until a patch is ready.

Just last week, a company called Sentry Research Labs posted an advisory on the Bugtraq mailing list about a new flaw in Cisco Systems's Trivial FTP Daemon server, apparently without first notifying Cisco of the problem. Earlier in the week, eEye Digital Security released a bulletin about a new hole in Microsoft's Internet Information Services Web server.

While eEye did wait to release its advisory until a patch was ready, the company has come under fire from security professionals for releasing sample exploit code and providing the exact number of bytes needed to cause the new buffer overflow.

"The release of the exploit code is what causes all of the problems," said William Arbaugh, assistant professor of computer science at the University of Maryland, in College Park. Arbaugh is also the co-author of a paper that analyses the effect that releasing exploits has on the number of attacks on a given vulnerability. "But there's always someone who will do it, arguing that the bad guys are going to get it anyway," he said.

However, some administrators argue that disclosing vulnerabilities as soon as possible keeps the vendors honest and informs a greater number of people about the problem.

"If no one posted these, how would we ever know about it? The vendors wouldn't tell us," said one security specialist, who asked to remain anonymous.

Vendors, not surprisingly, said they reject this notion and maintain that it's in everyone's best interests for vulnerability data to be handled carefully.

"It doesn't do any good to tell the whole world, because you're just letting in the people who will exploit it," said Scott Culp, security program manager at Microsoft, in Washington state. "There should be a code of ethics for security professionals, with an end goal of keeping the users safe."

Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.