[Full-Disclosure] Sapphire worm POC that fulldisclosure policies hurt everyone
yossarian at planet.nl
Sun Jan 26 20:57:02 GMT 2003
> I hear alot of arguments put out by the naive in favor of fulldisclosure
of vulnerability information. But the fact is, fulldisclosure policies hurt
everyone, and this time, they have wreaked havoc across the entire internet.
The ms-sql vulnerability has been known to the public for six months. If the
fulldisclosure philosophy were correct, the vulnerability would have been
patched by the vast majority of admins out there. However, that isn't what
happened. Thousands of machines were compromised and it lead to a massive
internet-wide loss of service.
Who is naive here? It doesn't hurt me that MS SQL servers fall over. If my
bank will get hurt by this virus, I will choose a bank that can be trusted.
Funny thing is, my bank is spending a lot of money and effort in preventing
this, and are succesful at it. My guess is that shooting the messenger is
It might be a flaw in fulldisclosure policy that the responsible admins
don't read them, and irresponsible ones do. It is a major flaw in cars that
people who are not good drivers, can drive in them. Full disclosure does not
enable viruses. It IS a matter of timing, of course, posting a full exploit
on the 1st day it is discovered, might be a bit over the top. But then
again, it is the first day YOU know it is there, other might have known for
ages. Example: on DefCon 2000, the trust factory went full disclosure, more
or less, on an exploit in Lotus Notes. It was said to be unbreakable, rock
solid etc., for years. This very same hole had been exploited earlier, I and
many colleagues with me had seen it in 1998 or 1999, when it was used
against a bank and a car manufacturer. We didn't disclose it, maybe no one
did, but bottom line is that it had been used way before disclosure. Most
stories don't hit the press, most vulns are not reported, and eventually
forgotten. But they are also never fixed. If you say don't disclose, you are
fighting the lesser evil. As a researcher, you find large numbers of holes.
It is just a matter of time and effort. The lesser evil is computer viruses.
The bigger menace might well be digital armageddon. I don't think it is
possible today, but it will be some time in the future. Someone can shut
down the powergrid, probably with a targeted computer virus. Remember,
digital warfare will most likely be a form of economic warfare, unless
integrated warfare will be vulnerable. It certainly will, but it is not
there, yet. The pentagon is working toward it, which means that soldiers can
command landmines to move to another spot - over TCP/IP. Sounds silly, but
some people are building this, it is not SF. If the vulnerability of the
used technologies are not known, high tech countries will be attacked by
their own smart weaponry.
Compared to some ATM's out of order, this might well be digital armageddon.
But no, we don't want to strenghten our defences, since their will be
collatoral damage, since companies continue to employ incompetent people.
What is worse, the internet completely down today, or say in ten years time
with all the new dependencies. maybe including SDI and military early
warning systems, and certainly including the power grid, hospital support -
not just PC - systems and all telephone communications?
> There are alot of attacks against the competency of administrators who
failed to put their databases behind their firewall, and also failed to
patch their machines, but fulldisclosure operates on the assumption that all
administrators are going to find out about the bug and patch their machines.
The fulldisclosure philosophy is flawed.
Well, if you use ligit software, you are paying for support and supposed to
follow the instructions of the manufacturer. If you don't, who is to blame?
It is like not following your doctors advice. All admins should do their
jobs properly, because that it is what they are paid for. The information is
free, it is out there, very easy to get, but no, since not all the people
read it, FD doesn't work? The sad truth is that many admins are incompetent.
Finding out about a bug, especially if it is MS or some other major
companies software is very, very easy. Or would you dare to call people who
don't read the suppliers advice (or the manuals) as competent?
> The vast majority of those reading this message probably won the
scriptkid/admin race of patching vs being compromised. But today, that
didn't stop the destructive power of this worm. Today's denial of service
was mostly caused by smaller enterprises with less competent administrators.
The message is "pay up to the security consultants or your machines get
owned". I would be more okay with this if it were just the machine's owners
that got affected, but it's the entire internet. Get a clue, your actions
Duh, what a race, if you are more than six month's behind. It doesn't take
six months to write a virus. The consequences of no disclosure, because that
IS what you are advocating, is that systems will never get fixed. See my
rant about digital armageddon.
It is not pay up to the security companies but just use the software you
understand. A fool with a tool is a dangerous fool. If a smaller company
decides to use a tool it cannot control, it is stupid. But you don't need a
security consultant to apply a fix, well, i sincerly hope that any admin can
update a system, either a fix or just a new app. There is no difference.
Also, there is no excuse for incompetence. Even smaller companies have their
buildings constructed by competent companies, not by someone who is dirt
cheap and.they met in bar. If a building collapses due to incompetence, the
construction company gets sued. If people die, the company owners might go
>If the ms-sql bug had never been disclosed, and was slipped quietly to
Microsoft, this never would have happened, and the same responsible
administrators would have upgraded their software. The odds are, those same
responsible administrators have had their database servers behind a firewall
anyways, so this is all irrelavant. This catastrophe was caused solely by
the disclosure of vulnerability information.
This would have happend, since if MS was told quietly about this bug, these
sorry excuses for admins would still not have updated their systems.
There are hundreds of bugs in MSSQL, fixed and not fixed, but only a few
were ever used in a virus. MS is spending lots of money, just fixing the
holes they do find. Why? Because they might get exploited, whether it is
known or unknown. Most holes that are fixed were found by MS people, and
never disclosed. Just check on their site, and see what is in the updates.
Some security hotfixes are because of disclosed holes, many are not. In the
service packs, many other security holes are closed, MS tells you all about
it, if you were to read technet. BTW, technet is not for security consultant
Let me give you an example on disclosure vs. MS: in 1997 in MSDN someone
from MS warned developers about the risks of using, or rather thoughtless
use of several codesets. In 2001 the Unicode exploits surfaced, and MS fixed
them. But many admins didn't. Do you blame MS?
> I urge you to be more responsible with your actions in the future. The
stability of the entire internet is at stake.
Funny, the net was built and designed to withstand nuclear war, but a single
15 y/o will take it down? The net is some corporate databases. It wouldn't
be interesting if it was. And all the extra traffic, well anything can cause
that, not only viruses. If they were to put a new single from any major
popband on-line, would the traffic be very heavy?
I urge people to disclose in an effective AND responsible way, since not the
stability but the future of the Internet is at stake.
Full-Disclosure is hosted and sponsored by Secunia.