Immunity Inc's release of attack code for the Windows TCP/IP flaw came at the request of customers who need the code to measure the risk to their own networks, said Dave Aitel, the company's chief technology officer. But some IT administrators are expressing misgivings about the code being tossed into the wild.
Earlier this week, Miami-based Immunity published a working exploit for the TCP/IP flaw addressed in Microsoft's MS08-001 security bulletin, one of two security updates released Jan. 8. In a phone interview Wednesday, Aitel said the code shows that the flaw is highly exploitable, countering Microsoft's claim that large-scale attacks against the flaw are unlikely. A Flash demonstration of the attack is available on the Immunity Web site.
"I don't think people have underestimated the risk of this flaw, but if they had any doubts this [the attack code] should remove it," Aitel said.
Asked if he worries about the code being exploited by people with malicious intentions, he said, "Anything as important as this flaw attracts interest from all sorts of different directions. For us, it's about determining how at risk we really are. You don't really know how something will affect your environment unless you have something you can test on your network."
He noted that his clients -- many of them large enterprises with 1,000 or more employees -- request the exploit code so it can be used to measure the level of risk the flaw poses to individual IT environments.
Jeffrey Jarzabek, IT director for Matocha Associates, an Oakbrook Terrace, Ill., firm specializing in architecture, engineering, general contracting and construction management, said Immunity's intentions are good. But he worries that publicizing such code is more harmful than helpful.
"Publicizing it is like opening a Pandora's box," Jarzabek said in an email exchange. "MS08-001 deals with some serious TCP/IP holes that could compromise an entire system and therefore a network."
He rejects another line of thought popular in the research community -- that exposing avenues of attack will help vendors see their security shortcomings and take action.
"Proving Microsoft wrong or proving something inferior of theirs creates an elevated sense of grandeur, but … releasing attack code to go through the flaw is just plain stupid," he said.
Aitel rejects the notion that everyone would be safe if companies like his would stop releasing attack code. The reality is that malicious people are constantly working to find flaws and exploit them, and it's better to ensure that the good guys have the same information so they can build better defenses, he said. Technically, the hacking community has known about the Windows TCP/IP flaw since August and chances are good that someone else has already cooked up their own attack code, Aitel said.
"People will have these things whether we produce the research or not," he said. "It would be vain for me to say we are the only one able to do this kind of research at this level. I can't say there aren't other exploits for this that were produced earlier."
Rhode Island-based network engineer Edward Ziots said the practice of releasing attack code is a double-edged sword. On the one hand, IT pros can't always believe everything coming from the Microsoft Security Response Center because even though they own the code and probably have extremely skilled programmers, they're not necessarily looking at it the same way the rest of the security researcher community is looking at it.
"As we've seen before with other TCP/IP flaws and the WMF flaws, Microsoft knew there was a working exploit, didn't think it was that big of a deal and waited a couple months to get a working patch out to customers," Ziots said in an email exchange.
Ziots said he's no fan of researchers who disclose zero-day flaws and immediately follow it with exploit code because they put IT shops and vendors alike "behind the eight-ball." But he believes Immunity has dealt with this case honorably.
He agrees with Aitel that it's beneficial for IT shops to use attack code for penetration testing on their own systems with the same level of certainty that a skilled hacker would have.