Vulnerabilities in software are nothing new, but the ease and speed in which they can be exploited is.
Last week's Slapper worm, which took advantage of a flaw in OpenSSL, was created only a month after the existence of the flaw became widespread knowledge in August. Slapper attacks Linux machines running the Apache Web server with the vulnerable versions of OpenSSL, an open-source version of Secure Sockets Layers (SSL).
The worm's source code was distributed throughout the Web, which has become the pre-eminent clearinghouse for information about exploiting vulnerabilities. In fact, the time gap between a vulnerability being discovered and the creation of a worm or exploit to take advantage of it is shrinking. The Web is the main driver of this shift, experts say.
In fact, less accomplished worm writers used the available source code of the worm to create two Slapper variants: Slapper.B and Slapper.C. Antivirus experts also fear that more sophisticated writers will use the code to craft other worms that exploit other vulnerabilities.
"The Internet is a great place for communication, but it has a bad side as well," said David Litchfield, a well-known vulnerability-finder and co-founder of Next Generation Security Software, which is based in Sutton, England.
Another factor in the closing gap is the better skill sets of many malicious hackers. For example, in the last five to 10 years, the number of people who could write an exploit to trip a stack-based buffer overflow has increased significantly, Litchfield said.
The Internet, however, has made programming knowledge a moot point in some ways. All it takes is one savvy programmer to write an exploit that is distributed via the Web. An attacker can find the code and literally cut and paste it to exploit a vulnerability, Litchfield said.
One way of preventing such information sharing is to choke the flow of information itself. Some argue that the details of a vulnerability should be tightly controlled so that malicious attackers can't write code to exploit it.
Litchfield's counter-argument: users need that information to create fixes or come up with workarounds to protect themselves. Developers also need to study vulnerabilities in detail so they don't make the same mistakes when writing code, he said.
"Information is like guns. When it's in the hands of bad people they can do harm," Litchfield said. "But if they are in the hands of good guys like cops, then they can be used to prevent crime."
The debate over full disclosure of vulnerabilities is not likely to go away soon.
Robert Lonadier, president of Boston-based analyst firm RCL Associates, said there are no easy answers to the debate. Other issues are also afoot.
For example, software vendors should take more responsibility for vulnerabilities and release more secure products, Lonadier said. Yet as software becomes more and more complex, even vendors can't find all the vulnerabilities, he said.
"Users should start thinking about going after classes of exploits, not specific ones," Lonadier said, noting that products like antivirus software, intrusion detection systems and behavior-based intrusion detection can address this.