The Code Red sequence has clarified the disclosure-versus-deployment timing problem in ways the more abstract debate has not. With concrete data on how fast a serious worm propagates after vulnerability disclosure, the trade-offs in disclosure timing are sharper than they were.
The Code Red timeline
- 18 June 2001: Microsoft publishes MS01-033. Patch available.
- 18 June - 13 July: 25-day window where the patch exists but is not deployed at most operators. Vulnerable population starts at near-100% of IIS servers and decreases gradually.
- 13 July: Code Red I appears. The worm exploits the disclosed bug.
- 13-19 July: Saturation. Roughly 360,000 hosts compromised. Most patching happens during and after this window.
- 4 August: Code Red II appears, targeting the same bug. About 100,000 additional hosts compromised; persistent backdoor installed.
- August onwards: Continued cleanup. The vulnerable population shrinks slowly.
The key data point: the worm appeared 25 days after the patch. By that time most operators had been able to patch but most had not. The vulnerable population was still substantial when the worm hit.
What this teaches about disclosure timing
A few specific things.
25 days is not enough time for the operator population to patch. The patching curve over a month does not get most operators patched. Operators need either much faster patching processes or much longer disclosure timelines.
Pre-disclosure exploit code accelerates the worm. The Code Red authors were almost certainly working on the worm before the public patch announcement. The disclosure provided the trigger for the public release; the development happened during the private-knowledge period.
Coordinated disclosure helps but does not solve the problem. Even with the patch available 25 days before the worm, the patching window was insufficient. The structural problem is not the disclosure timing; it is the patching cadence.
What this implies about the disclosure debate
The debate I described in November 2000 had two main positions: full disclosure (publish everything immediately) and coordinated disclosure (wait for the patch). Code Red happened under the coordinated model.
The data from Code Red suggests:
The coordinated disclosure timeline is right but not magic. The patch was available for 25 days before exploitation. This is much better than "no patch available". It is not enough to prevent damage.
The real lever is patching cadence, not disclosure timing. Operators who patch within a few days of disclosure are safe. Operators who patch within a month are too slow. The variability is on the patching side.
Some operators will never patch. A long tail of unpatched IIS servers remained vulnerable to Code Red months after the worm. These hosts are fundamentally exposed regardless of disclosure timing.
What should change
A few proposals, in increasing order of how hard they are.
Operators should improve patching cadence. This is the obvious answer. Most operators with critical infrastructure should patch within 7 days of advisory; non-critical within 30 days. Most do not.
Vendors should make patching easier. Automated update mechanisms; clearer prioritisation of security patches; better testing of patches so operators have less reason to wait.
Industry coordination should be tighter. Cross-operator cooperation on patching for the most critical infrastructure. Some kind of "these specific hosts must be patched within X hours" coordination for systemic risks.
Pre-emptive defensive deployment. Not all defence is patching. URLScan-style filtering, IDS rules, network segmentation — all of these provide defence even when the patch has not been applied. Investing in these before the next vulnerability is the structural answer.
What I am taking from this
Three things.
Patching is the chokepoint. Disclosure timing is downstream of patching cadence; if operators cannot patch within days, no disclosure timing helps.
Defence in depth is essential, not optional. Operators who depend solely on patching for security are exposed during every advisory's window. Operators with layered defences survive the window with less damage.
The economic infrastructure favours the attacker. Compromised hosts are now valuable assets that produce ongoing economic returns to attackers. The asymmetry between attacker investment and defender investment is significant.
For my own writing: more posts on the structural defences (IDS, segmentation, monitoring) and less on patching specifically. The patching message is now well-understood; the structural-defence message is less so.
More as the year develops.