Feeds

Internet survives Code Red

We were sooo worried....

  • alert
  • submit to reddit

High performance access to file storage

The 'Code Red' worm, which targeted Whitehouse.gov, and which exploits the .ida buffer overflow vulnerability in the IIS Indexing Service ISAPI filter, predictably failed to deliver the network-crushing blow which several hysterics in the mainstream press and the US National Infrastructure Protection Center had warned us about.

As usual, it created a moderate burden on system and network admins, but took its greatest toll in fear, uncertainty and doubt. Vmyths founder Rob Rosenberger reports that "unbridled fear about Code Red made many USAF bases go off-line via a precautionary disconnect. I repeat, fear crippled the Air Force, not the worm itself."

The .ida vulnerability was discovered and aggressively publicized by security outfit eEye Digital Security on 18 June. Soon after, a simple attack script was released by a Japanese computer enthusiast called HighSpeed Junkie.

The Code Red worm appeared only recently, on 13 July. It was to reach 'critical mass' on Friday, 20 July in a blistering distributed packet attack against the White House Web site, by which means the Internet's entire reserve of bandwidth was to have been consumed.

Even eEye 'Chief Hacking Officer' Marc Maiffret bit the FUD-baited hook: "the Internet is about to shut down and you're bickering about nonsense," he told us yesterday, finishing off an e-mail exchange in which we tried to assure him that our previous (admittedly negative) coverage of eEye's vulnerability publicity machine was in no way personal.

eEye makes several good security products for Windows and IIS, and has been responsible for finding and aggressively publicizing a number of holes in Microsoft products, especially IIS.

But the business of searching for and publicizing security holes while at the same time selling the solutions is a tricky and controversial business, not unlike the model pursued by anti-virus companies. We note, for example, that eEye has yet to publicize an IIS hole that its SecureIIS product won't defeat. Their discoveries inevitably support the claim that SecureIIS is a very wise investment.

Now they're facing an intriguing irony. Had they not made such a grand public fuss over their .ida hole discovery and their SecureIIS product's ability to defeat it, it's a safe bet that Code Red would not have infected thousands of systems.

In anticipation of inevitable criticism from cynical quarters like The Register over disseminating such information far and wide, the full eEye security bulletin contains a lengthy, preemptive homily on the virtues of full disclosure, and adds the observation that, had it not been for their investigative work, other security vendors would lack the data needed to defend against the .ida exploit.

This is true, of course; but we have to point out that, had it not been for their eagerness in publicizing the discovery broadly, Code Red would likely never have been developed -- and if it had, certainly not so swiftly.

This is not to say that The Register doesn't support full disclosure of security threats; we are in fact heartily in favor of it. This is rather to say that we appreciate the irony of aggressively disseminating such information in order to market protective products, ostensibly in service of increased security on the rationale that forewarned is forearmed.

When we speak in favor of full disclosure, we're talking about something more narrowly targeted than eEye's usual media blitz whenever they discover a hole that their products can fix.

In this case, it would seem, the media blitz has backfired spectacularly. Perhaps they'll tone things down a bit in future, as we hope. Their products are good, and their research is valuable. But they've lately been wagering their credibility on publicity, and we'd hate to see them lose that bet. ®

Related Stories

CERT defends vulnerability info restrictions
IIS worm made to packet Whitehouse.gov (.ida patches linked in this one)
Code Red bug hits Microsoft security update site

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Windows XP still has 27 per cent market share on its deathbed
Windows 7 making some gains on XP Death Day
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
US taxman blows Win XP deadline, must now spend millions on custom support
Gov't IT likened to 'a Model T with a lot of things on top of it'
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.