Feeds

Internet survives Code Red

We were sooo worried....

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

The 'Code Red' worm, which targeted Whitehouse.gov, and which exploits the .ida buffer overflow vulnerability in the IIS Indexing Service ISAPI filter, predictably failed to deliver the network-crushing blow which several hysterics in the mainstream press and the US National Infrastructure Protection Center had warned us about.

As usual, it created a moderate burden on system and network admins, but took its greatest toll in fear, uncertainty and doubt. Vmyths founder Rob Rosenberger reports that "unbridled fear about Code Red made many USAF bases go off-line via a precautionary disconnect. I repeat, fear crippled the Air Force, not the worm itself."

The .ida vulnerability was discovered and aggressively publicized by security outfit eEye Digital Security on 18 June. Soon after, a simple attack script was released by a Japanese computer enthusiast called HighSpeed Junkie.

The Code Red worm appeared only recently, on 13 July. It was to reach 'critical mass' on Friday, 20 July in a blistering distributed packet attack against the White House Web site, by which means the Internet's entire reserve of bandwidth was to have been consumed.

Even eEye 'Chief Hacking Officer' Marc Maiffret bit the FUD-baited hook: "the Internet is about to shut down and you're bickering about nonsense," he told us yesterday, finishing off an e-mail exchange in which we tried to assure him that our previous (admittedly negative) coverage of eEye's vulnerability publicity machine was in no way personal.

eEye makes several good security products for Windows and IIS, and has been responsible for finding and aggressively publicizing a number of holes in Microsoft products, especially IIS.

But the business of searching for and publicizing security holes while at the same time selling the solutions is a tricky and controversial business, not unlike the model pursued by anti-virus companies. We note, for example, that eEye has yet to publicize an IIS hole that its SecureIIS product won't defeat. Their discoveries inevitably support the claim that SecureIIS is a very wise investment.

Now they're facing an intriguing irony. Had they not made such a grand public fuss over their .ida hole discovery and their SecureIIS product's ability to defeat it, it's a safe bet that Code Red would not have infected thousands of systems.

In anticipation of inevitable criticism from cynical quarters like The Register over disseminating such information far and wide, the full eEye security bulletin contains a lengthy, preemptive homily on the virtues of full disclosure, and adds the observation that, had it not been for their investigative work, other security vendors would lack the data needed to defend against the .ida exploit.

This is true, of course; but we have to point out that, had it not been for their eagerness in publicizing the discovery broadly, Code Red would likely never have been developed -- and if it had, certainly not so swiftly.

This is not to say that The Register doesn't support full disclosure of security threats; we are in fact heartily in favor of it. This is rather to say that we appreciate the irony of aggressively disseminating such information in order to market protective products, ostensibly in service of increased security on the rationale that forewarned is forearmed.

When we speak in favor of full disclosure, we're talking about something more narrowly targeted than eEye's usual media blitz whenever they discover a hole that their products can fix.

In this case, it would seem, the media blitz has backfired spectacularly. Perhaps they'll tone things down a bit in future, as we hope. Their products are good, and their research is valuable. But they've lately been wagering their credibility on publicity, and we'd hate to see them lose that bet. ®

Related Stories

CERT defends vulnerability info restrictions
IIS worm made to packet Whitehouse.gov (.ida patches linked in this one)
Code Red bug hits Microsoft security update site

Providing a secure and efficient Helpdesk

More from The Register

next story
Microsoft on the Threshold of a new name for Windows next week
Rebranded OS reportedly set to be flung open by Redmond
Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
Forget touchscreen millennials, Microsoft goes for mouse crowd
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple: SO sorry for the iOS 8.0.1 UPDATE BUNGLE HORROR
Apple kills 'upgrade'. Hey, Microsoft. You sure you want to be like these guys?
ARM gives Internet of Things a piece of its mind – the Cortex-M7
32-bit core packs some DSP for VIP IoT CPU LOL
Lotus Notes inventor Ozzie invents app to talk to people on your phone
Imagine that. Startup floats with voice collab app for Win iPhone
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.