It says such "full disclosure" helps alert systems administrators to the seriousness of the situation. That view is also supported by other security experts.
"[eEye] didn't necessarily have to show the whole world this," said Scott Blake, director of security product strategy at BindView, a security product vendor. "But my philosophy is, the more scared people are, the more likely they are to implement the patch."
Blake said it's hard to get systems administrators to install every security patch, and the demonstration code provided by eEye last month, which appeared after Microsoft released its fix for the vulnerability, contributed to the sense of urgency that administrators must apply the update immediately. Blake also added that BindView does not itself publish such demonstration code.
According to estimates, two or three hundred thousand IIS servers were infected over two weeks by Code Red v. 1. Blake notes that some rough statistics about the number of IIS servers deployed on the Internet can be gauged by NetCraft's published estimates of 6 million IIS Servers.
"But I know of IIS servers that haven't downloaded Microsoft's fix for Code Red that haven't been infected yet," Blake concluded. On August 20, a new round of infections will commence anew, raising afresh an issue that just won't go away.
Copyright 2001 Network World Fusion (US), International Data Group Inc. All rights reserved.
