CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Microsoft to hackers: Don't publish code

The software giant criticizes security firms and independent programmers who release sample programs to compromise computer systems.

Microsoft, whose software has been at the center of several recent high-profile security incidents, has decided to turn up the heat on those the company considers at least partially responsible: security firms and hackers who release sample programs to exploit software flaws.

This week, Scott Culp, manager for Microsoft's security response center, published an essay on the company's site decrying the information and example code released by some companies and independent security consultants as "information anarchy."

Such information led directly to many of this year's most vicious worm attacks, he said.

"It's high time the security community stopped providing the blueprints for building these weapons," Culp wrote in the essay. "And it's high time that computer users insisted that the security community live up to its obligation to protect them."

The essay reopens the debate among security professionals over whether information on software flaws should be kept confidential or freely publicized.

A study done by Microsoft on recent worm attacks--including Ramen, 1i0n, Sadmind, Code Red and Nimda--found that each had been prefaced by the release of so-called exploit code. Such code can be a complete program or just the important pieces that demonstrate how a vulnerability can be exploited by a network attacker.


Gartner analyst Richard Stiennon says that when it comes to information security, "information anarchy" isn't the problem--instead, the focus should be on reducing company hype.

see commentary

While some advocates of publishing such code argue that it helps system administrators understand the threat, Culp criticized the exploits as providing too much information.

"The state of affairs today allows even relative novices to build highly destructive (malicious software)," he wrote in the essay. "It's simply indefensible for the security community to continue arming cyber criminals. We can at least raise the bar."

Many in the security community agree.

"There is some value for having details in the advisories," said Chris Wysopal, director of research and development for security firm @Stake, "but not exploit code. If we cut off exploit code, that's a good place to start."

Microsoft intends to force the issue and to call on security experts to draw a line between responsible disclosure and arming people with the tools and software needed to attack computers, said Culp.

"(We) don't purport to have the answer to the problem," he said in a Wednesday interview. "But we believe that these practices are harmful."

Culp argues in the essay that software flaws--whether in Windows, Linux or another operating system--are not going to go away.

"While the industry can and should deliver more secure products, it's unrealistic to expect that we will ever achieve perfection," he said.

For Microsoft, that means limiting the frequency of worm epidemics and hacking.

see special report: Year of the Worm The company's software is most often targeted by such attacks. By some estimates, the Code Red worm infected more than a million Web servers running Microsoft's Internet Information Server software for Web servers. And the recent Nimda worm caused havoc by exploiting holes in both servers and desktop computers running Microsoft software.

The company's software is picked apart regularly by security consultants. While some analyze the software for security's sake, others highlight flaws for publicity and still more do it to tweak the giant's proverbial nose.

By reducing the availability of exploit code, Microsoft could dodge future embarrassments from security incidents.

"There is obviously a huge element of self interest" for Microsoft, said @Stake's Wysopal. "I don't think it disqualifies their argument, though."