Feeds

Internet survives Code Red

We were sooo worried....

  • alert
  • submit to reddit

Build a business case: developing custom apps

The 'Code Red' worm, which targeted Whitehouse.gov, and which exploits the .ida buffer overflow vulnerability in the IIS Indexing Service ISAPI filter, predictably failed to deliver the network-crushing blow which several hysterics in the mainstream press and the US National Infrastructure Protection Center had warned us about.

As usual, it created a moderate burden on system and network admins, but took its greatest toll in fear, uncertainty and doubt. Vmyths founder Rob Rosenberger reports that "unbridled fear about Code Red made many USAF bases go off-line via a precautionary disconnect. I repeat, fear crippled the Air Force, not the worm itself."

The .ida vulnerability was discovered and aggressively publicized by security outfit eEye Digital Security on 18 June. Soon after, a simple attack script was released by a Japanese computer enthusiast called HighSpeed Junkie.

The Code Red worm appeared only recently, on 13 July. It was to reach 'critical mass' on Friday, 20 July in a blistering distributed packet attack against the White House Web site, by which means the Internet's entire reserve of bandwidth was to have been consumed.

Even eEye 'Chief Hacking Officer' Marc Maiffret bit the FUD-baited hook: "the Internet is about to shut down and you're bickering about nonsense," he told us yesterday, finishing off an e-mail exchange in which we tried to assure him that our previous (admittedly negative) coverage of eEye's vulnerability publicity machine was in no way personal.

eEye makes several good security products for Windows and IIS, and has been responsible for finding and aggressively publicizing a number of holes in Microsoft products, especially IIS.

But the business of searching for and publicizing security holes while at the same time selling the solutions is a tricky and controversial business, not unlike the model pursued by anti-virus companies. We note, for example, that eEye has yet to publicize an IIS hole that its SecureIIS product won't defeat. Their discoveries inevitably support the claim that SecureIIS is a very wise investment.

Now they're facing an intriguing irony. Had they not made such a grand public fuss over their .ida hole discovery and their SecureIIS product's ability to defeat it, it's a safe bet that Code Red would not have infected thousands of systems.

In anticipation of inevitable criticism from cynical quarters like The Register over disseminating such information far and wide, the full eEye security bulletin contains a lengthy, preemptive homily on the virtues of full disclosure, and adds the observation that, had it not been for their investigative work, other security vendors would lack the data needed to defend against the .ida exploit.

This is true, of course; but we have to point out that, had it not been for their eagerness in publicizing the discovery broadly, Code Red would likely never have been developed -- and if it had, certainly not so swiftly.

This is not to say that The Register doesn't support full disclosure of security threats; we are in fact heartily in favor of it. This is rather to say that we appreciate the irony of aggressively disseminating such information in order to market protective products, ostensibly in service of increased security on the rationale that forewarned is forearmed.

When we speak in favor of full disclosure, we're talking about something more narrowly targeted than eEye's usual media blitz whenever they discover a hole that their products can fix.

In this case, it would seem, the media blitz has backfired spectacularly. Perhaps they'll tone things down a bit in future, as we hope. Their products are good, and their research is valuable. But they've lately been wagering their credibility on publicity, and we'd hate to see them lose that bet. ®

Related Stories

CERT defends vulnerability info restrictions
IIS worm made to packet Whitehouse.gov (.ida patches linked in this one)
Code Red bug hits Microsoft security update site

Maximizing your infrastructure through virtualization

More from The Register

next story
Whoah! How many Google Play apps want to read your texts?
Google's app permissions far too lax – security firm survey
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
Do YOU work at Microsoft? Um. Are you SURE about that?
Nokia and marketing types first to get the bullet, says report
Microsoft takes on Chromebook with low-cost Windows laptops
Redmond's chief salesman: We're taking 'hard' decisions
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Big Blue Apple: IBM to sell iPads, iPhones to enterprises
iOS/2 gear loaded with apps for big biz ... uh oh BlackBerry
OpenWRT gets native IPv6 slurping in major refresh
Also faster init and a new packages system
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.