Feeds

Internet survives Code Red

We were sooo worried....

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

The 'Code Red' worm, which targeted Whitehouse.gov, and which exploits the .ida buffer overflow vulnerability in the IIS Indexing Service ISAPI filter, predictably failed to deliver the network-crushing blow which several hysterics in the mainstream press and the US National Infrastructure Protection Center had warned us about.

As usual, it created a moderate burden on system and network admins, but took its greatest toll in fear, uncertainty and doubt. Vmyths founder Rob Rosenberger reports that "unbridled fear about Code Red made many USAF bases go off-line via a precautionary disconnect. I repeat, fear crippled the Air Force, not the worm itself."

The .ida vulnerability was discovered and aggressively publicized by security outfit eEye Digital Security on 18 June. Soon after, a simple attack script was released by a Japanese computer enthusiast called HighSpeed Junkie.

The Code Red worm appeared only recently, on 13 July. It was to reach 'critical mass' on Friday, 20 July in a blistering distributed packet attack against the White House Web site, by which means the Internet's entire reserve of bandwidth was to have been consumed.

Even eEye 'Chief Hacking Officer' Marc Maiffret bit the FUD-baited hook: "the Internet is about to shut down and you're bickering about nonsense," he told us yesterday, finishing off an e-mail exchange in which we tried to assure him that our previous (admittedly negative) coverage of eEye's vulnerability publicity machine was in no way personal.

eEye makes several good security products for Windows and IIS, and has been responsible for finding and aggressively publicizing a number of holes in Microsoft products, especially IIS.

But the business of searching for and publicizing security holes while at the same time selling the solutions is a tricky and controversial business, not unlike the model pursued by anti-virus companies. We note, for example, that eEye has yet to publicize an IIS hole that its SecureIIS product won't defeat. Their discoveries inevitably support the claim that SecureIIS is a very wise investment.

Now they're facing an intriguing irony. Had they not made such a grand public fuss over their .ida hole discovery and their SecureIIS product's ability to defeat it, it's a safe bet that Code Red would not have infected thousands of systems.

In anticipation of inevitable criticism from cynical quarters like The Register over disseminating such information far and wide, the full eEye security bulletin contains a lengthy, preemptive homily on the virtues of full disclosure, and adds the observation that, had it not been for their investigative work, other security vendors would lack the data needed to defend against the .ida exploit.

This is true, of course; but we have to point out that, had it not been for their eagerness in publicizing the discovery broadly, Code Red would likely never have been developed -- and if it had, certainly not so swiftly.

This is not to say that The Register doesn't support full disclosure of security threats; we are in fact heartily in favor of it. This is rather to say that we appreciate the irony of aggressively disseminating such information in order to market protective products, ostensibly in service of increased security on the rationale that forewarned is forearmed.

When we speak in favor of full disclosure, we're talking about something more narrowly targeted than eEye's usual media blitz whenever they discover a hole that their products can fix.

In this case, it would seem, the media blitz has backfired spectacularly. Perhaps they'll tone things down a bit in future, as we hope. Their products are good, and their research is valuable. But they've lately been wagering their credibility on publicity, and we'd hate to see them lose that bet. ®

Related Stories

CERT defends vulnerability info restrictions
IIS worm made to packet Whitehouse.gov (.ida patches linked in this one)
Code Red bug hits Microsoft security update site

Remote control for virtualized desktops

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Microsoft adds video offering to Office 365. Oh NOES, you'll need Adobe Flash
Lovely presentations... but not on your Flash-hating mobe
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
HTML5 vs native: Harry Coder and the mudblood mobile app princes
Developers just want their ideas to generate money
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.