take notice and to spread information to programmers and researchers. However, some security experts, including as Russ Cooper, see the practice as dangerous.
"It's a certainty that these things (other attacks) are going to happen in the future as security companies are more determined to prove their skill by producing exploits," he said.
Even though full disclosure companies say they publish exploits for research, development and educational purposes, Cooper said that doesn't matter, equating the publication of exploits with the offering of bomb-making materials online.
To avoid the use of security company-authored exploits in worms and other so-called malware in the future, companies will have to conduct themselves in new ways, he said. There also "needs to be a way to vet security companies and their practices," he said, "for the overall security of the Internet."
"Providing information on how to exploit the vulnerability doesn't do anyone any good, except the hackers," said Microsoft's Culp. "that's not the kind of information that ought to be in an advisory."
There is a clear distinction between the kind of information that ought to be in a security bulletin -- the effect of the issue, the conditions it functions under, the measures that can be taken to prevent problems -- and what should not be included, he said.
Microsoft is working with a number of security companies to reach agreement on how to report security flaws, he said. The company is not asking anyone to water-down security advisories, but rather not to provide attack code, he said.
Though admitting that full disclosure is "a sticky subject with people" and saying that Microsoft and eEye have essentially agreed to disagree on the full disclosure point, there are plenty of good reasons to disclose as much information as possible about holes, Maiffret said.
"When you have this information and don't put it out, they are people in the underground who are exploiting it (already)," and without the details companies may not know they're being attacked, he said. "In the real computer underground, you just mention that YXZ has a hole in it, and (attackers will) find it"
Additionally, many intrusion detection systems require full details to create signatures that are able to detect attacks, he said.
As this worm has proved, patches are not always installed as quickly as they should be, he said.
"Seeing (the bulletin) is not always enough to convince (administrators) to apply the patch," either because of management dictates or other reasons, he said. The existence of an exploit "gets the message across," he said, "(it) wakes them up that they need to install the patch."
EEye doesn't plan on changing its full disclosure policies, Maiffret said.
"We are a full disclosure company," he said.
"The full disclosure debate can go on forever," he said "but the fact remains that when the patch comes out you need to get it installed the same day."
And that's likely the one point all security professionals can agree on.
Copyright 2001 IDG News Service, International Data Group Inc. All rights reserved.
