• PC World
• » Software

Exploiting Security Holes

In some cases, the people who discover the bug also post exploit code along with their hole announcement. The exploit code serves as a demo to allow network administrators to test their systems for vulnerability. But crackers also use the code to break into unprotected systems.

The folks at eEye found themselves in hot water two years ago when they posted exploit code for another security hole they found in Microsoft IIS. They waited a week after informing Microsoft of the vulnerability before posting the exploit, but Microsoft publicly condemned the security company for the action.

At the time, eEye's Chief Executive Officer Firas Bushnaq told reporters that no one would have listened to the small firm's announcement unless they created a sense of urgency by releasing an exploit with it.

Richard Smith, who has also discovered a number of holes in software products, advocates responsible disclosure in which bug hunters notify a vendor and then offer just a small amount of detail. They should only post enough public information to let consumers know the problem exists and to convince them to go to the vendor for a solution.

"You're telling people too much if you come up with an exploit script [that] actually can be used to break into a system," Smith says.

Bruce Schneier, chief technical officer of Internet security firm Counterpane, advocates giving vendors at least three weeks to fix a problem and waiting to publish the vulnerability until a patch is available.

Schneier says that publishing exploits where irresponsible hackers can get to them is like "handing computer weaponry to clueless teenagers." But Rain Forest Puppy, a hacker and Chicago-based security consultant, who has authored a disclosure policy that serves as a guideline for hackers reporting problems to vendors, says that whether or not an exploit is published by a bug hunter like eEye is not important.

"If a researcher doesn't write the exploit, a hacker will," Rain Forest Puppy says. "And if a hacker writes it, the code may only be distributed in the underground where system administrators won't know about it. Seeing the exploit code lets system administrators look at the code and see how it might affect their systems."

The Code Red worm didn't appear until a month after eEye announced the vulnerability. However, the average amount of time that passes between when a vulnerability is published and an exploit is written is 6 to 12 hours, Rain Forest Puppy says. This means that consumers and system administrators have very little time in which to patch their systems.

Getting Vendors to Act

Many hackers say they are loathe to report holes to vendors because the companies ignore them, procrastinate in producing a patch, or deny the hole will cause problems. Some even threaten legal action if a hacker reverse-engineers a product to discover the hole.

Microsoft has become more responsive in the last couple of years through its security response center. Scott Culp, program manager of the center, says the company's policy is to respond to reports within 24 hours.

Rain Forest Puppy says that when he discovered a bug in Unicode last December, the company was immediately responsive. "I mailed them around 2:00 a.m. on a Friday night and got a response from them a couple of minutes later. They had a patch turned around in two days."

But that isn't always the case. A hacker named Syke says that he and associates reported a vulnerability in IE for UNIX to Microsoft in July 2000. The company sent an immediate response saying it would look into the problem, but Syke and his associates never heard back.

They wrote the company again in October saying they would publish the hole in a week. When they received no response, they published the vulnerability on October 13.

An annoyed Microsoft employee contacted them, asking why they hadn't alerted the company first. They were later told their earlier e-mail messages had somehow slipped through the cracks.

Maiffret says that Microsoft took over a month to create a patch for the Code Red vulnerability. "It seemed really, really long to us. It's not like a hard thing to fix. It's a buffer overflow."

"Microsoft said that because it was in IIS 5 for Windows 2000 and NT 4 that it would take them twice as long, which doesn't make sense," he says.

"Then after a month, about two hours before we were going to release the vulnerability announcement with them, they said that something broke in the patch and they had to take another week to fix things," he says.

For the most part, Maiffret has been satisfied by Microsoft's response to problems, but he acknowledges that not everyone has the same experience.

"Nobody should wonder why hackers don't give vendors the time of day," he says. It's important for companies to try to work with vendors because all of their mutual customers need a patch. But there's really no incentive for hackers to work with a vendor, he notes.

Microsoft takes a lot of heat for the holes in its products. Other vendors have security holes, too, but few get the amount of publicity that Microsoft's do, simply because its problems impact so many users.

If it's any consolation to Microsoft, Maiffret says that eEye has been on the receiving end of full disclosure as well. Hackers who discovered a hole in Secure IIS posted the information to BugTraq without telling eEye first.

"We only learned about it on BugTraq, but it only took us eight hours to fix the thing," he says.

"But any bug should be taken seriously because maybe there's more behind it that you figure out when you go into research it and fix it," Maiffret adds.

• See more like this:
• CodeRed,
• Viruses,
• Security,
• Hackers,
• eEyeDigital