Feeds

Internet survives Code Red

We were sooo worried....

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

The 'Code Red' worm, which targeted Whitehouse.gov, and which exploits the .ida buffer overflow vulnerability in the IIS Indexing Service ISAPI filter, predictably failed to deliver the network-crushing blow which several hysterics in the mainstream press and the US National Infrastructure Protection Center had warned us about.

As usual, it created a moderate burden on system and network admins, but took its greatest toll in fear, uncertainty and doubt. Vmyths founder Rob Rosenberger reports that "unbridled fear about Code Red made many USAF bases go off-line via a precautionary disconnect. I repeat, fear crippled the Air Force, not the worm itself."

The .ida vulnerability was discovered and aggressively publicized by security outfit eEye Digital Security on 18 June. Soon after, a simple attack script was released by a Japanese computer enthusiast called HighSpeed Junkie.

The Code Red worm appeared only recently, on 13 July. It was to reach 'critical mass' on Friday, 20 July in a blistering distributed packet attack against the White House Web site, by which means the Internet's entire reserve of bandwidth was to have been consumed.

Even eEye 'Chief Hacking Officer' Marc Maiffret bit the FUD-baited hook: "the Internet is about to shut down and you're bickering about nonsense," he told us yesterday, finishing off an e-mail exchange in which we tried to assure him that our previous (admittedly negative) coverage of eEye's vulnerability publicity machine was in no way personal.

eEye makes several good security products for Windows and IIS, and has been responsible for finding and aggressively publicizing a number of holes in Microsoft products, especially IIS.

But the business of searching for and publicizing security holes while at the same time selling the solutions is a tricky and controversial business, not unlike the model pursued by anti-virus companies. We note, for example, that eEye has yet to publicize an IIS hole that its SecureIIS product won't defeat. Their discoveries inevitably support the claim that SecureIIS is a very wise investment.

Now they're facing an intriguing irony. Had they not made such a grand public fuss over their .ida hole discovery and their SecureIIS product's ability to defeat it, it's a safe bet that Code Red would not have infected thousands of systems.

In anticipation of inevitable criticism from cynical quarters like The Register over disseminating such information far and wide, the full eEye security bulletin contains a lengthy, preemptive homily on the virtues of full disclosure, and adds the observation that, had it not been for their investigative work, other security vendors would lack the data needed to defend against the .ida exploit.

This is true, of course; but we have to point out that, had it not been for their eagerness in publicizing the discovery broadly, Code Red would likely never have been developed -- and if it had, certainly not so swiftly.

This is not to say that The Register doesn't support full disclosure of security threats; we are in fact heartily in favor of it. This is rather to say that we appreciate the irony of aggressively disseminating such information in order to market protective products, ostensibly in service of increased security on the rationale that forewarned is forearmed.

When we speak in favor of full disclosure, we're talking about something more narrowly targeted than eEye's usual media blitz whenever they discover a hole that their products can fix.

In this case, it would seem, the media blitz has backfired spectacularly. Perhaps they'll tone things down a bit in future, as we hope. Their products are good, and their research is valuable. But they've lately been wagering their credibility on publicity, and we'd hate to see them lose that bet. ®

Related Stories

CERT defends vulnerability info restrictions
IIS worm made to packet Whitehouse.gov (.ida patches linked in this one)
Code Red bug hits Microsoft security update site

New hybrid storage solutions

More from The Register

next story
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
Keep that consumer browser tat away from our software says Oracle
Big Red decides it will only support Firefox's Extended Support Releases
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
TIBCO ponders new 'financial options', including sale or merger
Your challenge: find ways to satisfy shareholders of mid-sized enterprise software outfit
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.