SAN MATEO (05/01/2000) - Well, it turns out that Microsoft Corp. is a lot more competitive and contentious than even the mainstream media claims. The "secret password" that was hyped as a backdoor to hundreds of thousands of Web sites by The Wall Street Journal April 14 turned out to be the text string "!seineew era sreenigne epacsteN" (read it backward). Now that's what we call monopolist behavior -- name calling!
Beyond the implications of this remark for the price of pork belly futures, it turns out that one of the DLLs in question, dvwssr.dll, was revealed to have nothing short of two other real security vulnerabilities associated with it (apparently after coming under intense scrutiny caused by the initial outburst).
The ensuing friendly fire that took place on various security mailing lists is quite revealing as to the current state of one of the security industry's sacred cows -- full disclosure.
To tell or not to tell
Full disclosure is the mantra of several of security's more prominent figures and institutions. The notion is that an open and frank discussion of real or imagined security problems will ultimately lead to a more secure overall infrastructure. The only downside to this argument is, as when discussing adult matters with small children, there is no guarantee that whatever is aired in public won't be used against you at some point by those with nefarious motives.
Once someone finds a problem and immediately announces it to the world in the spirit of full disclosure, there is a potentially infinite window of time between the announcement and the release of a working fix during which a lot of people's servers are vulnerable.
In the case of dvwssr.dll, full disclosure was of debatable merit. The first "disclosure" (and the one picked up by all the mainstream press) was that the "weenies" string was some sort of secret password that gave privileged remote access to sites hosted on Microsoft's Internet Information Server (IIS). This was not the case, but parties dedicated to sniffing out trouble, even when there was only a whiff to go by, dug deeper. They noted that remote users with Web authoring access to an IIS system could read .asp and .asa files for other virtual sites hosted on that system as long as these remote users supplied the "weenies" string. (Rain Forest Puppy ferreted this out at www.wiretrip.net/rfp).
The fact that a poor arrangement of site permissions was the real root of this problem was lost in all the hype that followed this second disclosure. More fuel for the fire arrived in the form of a post to NTBugtraq by CORE-SDI (www.core-sdi.com), which claimed to have found yet another problem with the DLL. This trouble was a devastating buffer overflow issue that could be exploited to prohibit the server from responding to incoming connections, and possibly even execute arbitrary commands.
For those interested in a fix, this affects only Windows NT Server 4 with the Option Pack installed, not Windows 2000. The fix is to delete dvwssr.dll, unless required for Visual Interdev, Version 1.0 (circa 1995), in which case upgrade Interdev and delete the DLL. (It is no longer used.) Now that you're feeling relieved, what benefit has come of all this open discussion?
Full-disclosure now or perish!
The steps that must be taken to recover from an attack, discover the vulnerability used, and repair the hole that allowed access often never see the light of day. Companies are too paranoid about bad press to inform other potential victims about the hack technique and the fix technique. And the FBI is too paranoid about leaking "evidence" to be forthcoming about how hackers entered a system and what the law did to resolve a break-in. In the end the only one who benefits from the work of incident response is the original victim -- not the hundreds of other victims.
One Internet resource, the Incidents mailing list on Securityfocus.com, allows system administrators the chance to learn about fellow victims and gain advice on how to avoid becoming one. The list has a low volume of messages but it does provide some intelligent feedback on how to detect an attack, how to recover from an attack, and most important, how to eliminate the possibility of an attack in the future.
However, the list is rarely visited by those companies concerned about "image" -- such as Yahoo, eBay, Buy.com, etc. -- the very companies recently hit by the distributed denial of service attacks. The participants tend to be .edu sites, whose openness about their cyber troubles should be commended and modeled.
We cannot more emphatically emphasize the importance of full disclosure. Take a look at Incidents or let us know about the attacks on your systems and we'll get the word out. We'll even keep your company anonymous if you'd like. What do you think about pulling back the curtain and shedding some light on the details of the attack? Let us know at firstname.lastname@example.org.
Stuart McClure is President and CTO and Joel Scambray is a Managing Principal at security consultant Foundstone (www.foundstone.com), formerly Rampart Security Group.