MS Patch Tuesday: Googler zero-day fixed in 33 days

MS Patch Tuesday: Googler zero-day fixed in 33 days

Summary: Microsoft ships a fix for Tavis Ormandy's Windows zero-day flaw in just 33 days. Could the disclosure controversy been avoided with better communication?

SHARE:
TOPICS: Microsoft, Security
36

Last month, When Google researcher Tavis Ormandy released details on a critical Help and Support Center vulnerability that exposed Windows XP and Windows Server 2003 users to malicious hacker attacks, Microsoft was publicly unhappy with the decision.

Ormandy claims he spent five days negotiating with Microsoft for a 60-day patch window and decided to go public only when the company could not provide him with confirmation that it would issue a prompt fix.

Now, just 33 days later, Microsoft has shipped MS10-042 as a "critical" bulletin to cover the hole which has already led to in-the-wild malware attacks.

Ormandy's decision to go public caused quite a stir and remains a he-said, she-said problem that could have been avoided with better communication between the two sides.follow Ryan Naraine on twitter

For the record, Microsoft says it never failed to give Ormandy a 60-day patch window.  Jerry Bryant, a spokesman for Microsoft's security response team, told me his team communicated to Ormandy on Monday June 7th that it was investigating the issue and would not be able to discuss a release timeline until the end of the week.

"We were surprised when it was released publicly on June 9," Bryant declared.

He said Microsoft was in the "early phases of investigation" when details were publicly released.

The fact that Microsoft pushed out a fix in just 33 days -- much shorter than the average time it takes to issue a fix for a Windows vulnerability -- is a boost to full-disclosure advocates who argue that Ormandy's actions actually helped to secure the ecosystem.

SEE: Defenders of the faith (Tavis acted responsibly)

However, Microsoft's Bryant said the company was originally targeting an August release but accelerated  efforts based on attacks impacting Windows XP customers.  "The fact that this vulnerability only affects two versions of windows allowed us to accelerate testing and release this in July," he added.

It's clear that wires between Microsoft and Ormandy got crossed, leading to an utterly avoidable situation.  Clearly there is need for an investigation at Microsoft to put some plasters on the cracks there.

I've been involved in disclosing a critical vulnerability to Microsoft that I know first-hand that the process is not very smooth.  The company puts a lot of the onus on researchers to prove exploitability and turn over more information than is required.  In my experience, they also went back on promises and upset the researcher (I was simply a broker helping to get the bug fixed) several times.

After all these years, Bryant and his team should have a smooth process that includes clear and proper communications to everyone involved.  Microsoft doesn't pay for vulnerabilities, instead offering an easy-to-miss credit line in its bulletings.  The least they could do is make researchers feel like the the assets they are.

Now for the details on this month's Patch Tuesday bundle:

MS10-042 (Critical): Vulnerability in Help and Support Center

This security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must click a link listed within an e-mail message.

MS10-043 (Critical) Vulnerability in Canonical Display Driver

This security update resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart.

MS10-044 (Critical) Vulnerabilities in Microsoft Office Access ActiveX Controls

This security update resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. The vulnerabilities could allow remote code execution if a user opened a specially crafted Office file or viewed a Web page that instantiated Access ActiveX controls. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS10-045 (Important) Vulnerability in Microsoft Office Outlook

This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user opened an attachment in a specially crafted e-mail message using an affected version of Microsoft Office Outlook. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Topics: Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

36 comments
Log in or register to join the discussion
  • Which is exactly why Microsoft should not have released it.

    [i]The fact that Microsoft pushed out a fix in just 33 days ? much shorter than the average time it takes to issue a fix for a Windows vulnerability ? is a boost to full-disclosure advocates who argue that Ormandy?s actions actually helped to secure the ecosystem.[/i]

    At least not until 60 days had passed. By doing so Ormandy and his band of vigilantes will continue to put users at risk with their tempertantrums.
    ye
    • RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days

      @ye
      Well said. Now we can expect more code to just go open in the wild and cause headaches. There wouldn't be a problem if Ormandy just kept his mouth shut and continued to work with Microsoft on this issue. The guy should have gotten fired a long time ago.
      Loverock Davidson
      • RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days

        @Loverock Davidson

        Wrong. MS displayed typical large-corporation bureaucratic incompetence so Ormandy went another direction. That MS doesn't even pay for the kind of help Ormandy tried to provide is a disgrace.
        rsservices@...
      • Ormandy's actions tell all we need to know.

        @rsservices: [i]MS displayed typical large-corporation bureaucratic incompetence so Ormandy went another direction.[/i]

        He is acting like a child who doesn't get his way.
        ye
      • RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days

        @Loverock Davidson <br><br>Hey Lovie you know when you said "he should have kept his mouth shut" now you should better understand why so many, just wish you'd also just keep your lips buttoned once in awhile. <img border="0" src="http://www.cnet.com/i/mb/emoticons/happy.gif" alt="happy"> get the point? Lovie .....mouth shut.
        Over and Out
    • RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days

      @ye <br>It all depends whose temper tantrum you support I guess. I suppose that you also believe that the researcher that reported on the electrical flaw in Toyota cars rather than just pass it to Toyota and leave it alone was irresponsible. Why should software vulnerabilities not be released so that, if a manufacturer does not get a fix out in a timely manner, consumers can take preemptive actions themselves (ie disabling services) or get 3rd party fixes. Yes it comes with risks as well as giving a bit of a black eye to the manufacturer, but so does not disclosing the vulnerability as it is likely to be exploited eventually whether disclosed or not. As much as I appreciate your more technical related posts, your opinions seem to be more like your zealot counterparts which you criticize than a balanced approach.
      Viva la crank dodo
      • I don't support anyone's tempertantrums. I expect people to be adults.

        @Viva la crank dodo: <i>Why should software vulnerabilities not be released so that, if a manufacturer does not get a fix out in a timely manner, consumers can take preemptive actions themselves (ie disabling services) or get 3rd party fixes.</i><br><br>Because it puts users at risk. Thanks to vigilante Ormandy's tempertantrum roughly 10,000 people were compromised.

        Edit: [i]I suppose that you also believe that the researcher that reported on the electrical flaw in Toyota cars rather than just pass it to Toyota and leave it alone was irresponsible.[/i]

        Funny you should mention this:

        "Report: Toyota crash data suggests driver error"

        http://www.msnbc.msn.com/id/38231384/ns/business-autos/
        ye
      • RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days

        @Viva la crank dodo
        Funny you should mention this:

        "Report: Toyota crash data suggests driver error"

        Exactly what I was saying, that releasing such information always has a risk (in this case fraudulent opportunists) but it also mitigates the risk to owners when they are aware of the risk.

        The risk of users being open to attacks was there whether the vulnerability was revealed or not. Revealing it did, no doubt, open the awareness of more crackers than not exposing it, but this does not mean that exploits were not already being created by a smaller group anyways. Raising public awareness to any issue can always poses some risks but it also allows the public to protect themselves as much as possible. Good for MS that they reacted pretty rapidly but if they didnt meet a timeline to protect its consumers, then the consumers should have the right to knowledge that allows them to reduce/mitigate/transfer the risk themselves. Not that I believe that there should not be a more standard way of doing things, a metaphor comparing the googler to a terrorist is extreme and as appropriate as comparing someone to Hitler because he supports the republican party or Stalin because he supports the democrats. There are common general ideals but such a comparison goes into extremism.
        Viva la crank dodo
      • It was a fitting metaphor.

        @Viva la crank dodo: [i]Not that I believe that there should not be a more standard way of doing things, a metaphor comparing the googler to a terrorist is extreme and as appropriate as comparing someone to Hitler because he supports the republican party or Stalin because he supports the democrats.[/i]
        ye
      • RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days

        @Viva la crank dodo <br>What extremist believes his extreme viewpoints are not reasonable.

        It's like saying that your view is promoting a totalitarian state.
        Viva la crank dodo
      • You'll have to do better than that.

        @Viva la crank dodo: <i>What extremist believes his extreme viewpoints are not reasonable.</i><br><br>It's a metaphor not a point of view. Learn the difference.
        ye
    • RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days

      @ye
      I find it funny that you feel that way. If it was any other company, you?d be cheering the researcher. Since it your religion that is flawed, you claim the researcher is now some sort of tantrum throwing vigilante? You windows zealots are a funny bunch.
      Rick_K
      • Do you have any data to support this erroneous conclusion?

        @Rick_K: [i]If it was any other company, you?d be cheering the researcher.[/i]

        It's wrong regardless if it is Microsoft, Apple, or Linux.

        [i]Since it your religion that is flawed, you claim the researcher is now some sort of tantrum throwing vigilante? You windows zealots are a funny bunch.[/i]

        More erroneous conclusions. As an FYI I just purchased a new MacBook Pro this weekend. $999 at MicroCenter. Sold my 2nd generation BlackBook.

        Do you ever tire of being wrong? Or has it become a part of you that you no longer notice?
        ye
  • RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days

    MS is a black hole - one way in and forget everyone else. The coding and OS is the problem. An OS and supporting apps can be created that is actually secure from all this bad coding and the average user wouldn't need antivirus software.
    Don't Ask Me
    • RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days

      @Don't Ask Me I'm amazed at your statement. Do you actually believe this?
      Jevans47
    • Then it's great Windows provides this.

      @Don't Ask Me: [i]An OS and supporting apps can be created that is actually secure from all this bad coding and the average user wouldn't need antivirus software.[/i]
      ye
    • RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days

      @Don't Ask Me LOL. Where is your stand-up routine showing this week? With a comedy act like this I'm sure it is SRO.
      ItsTheBottomLine
    • RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days

      @Don't Ask Me

      Are you implying that without Windows there'd be no malware at all? Considering that the first worm ever targeted UNIX systems and the fact that there are examples of Malware for every platform of note, this is an extremely dangerous falsehood to be spreading.

      There is not an OS or platform in existence that anyone should ever trust to be secure. That's like building a fence and not expecting there to ever be any problems with it keeping people out. Security is a process, not a product.
      s_southern
    • RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days

      @Don't Ask Me - the repliers don't know who they are talking to. Someday I may create that new OS, right now too busy with other things and starting to not care much.
      Don't Ask Me
      • RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days

        @Don't Ask Me
        I'll give you a hand to get started..

        10 print "Hello World"
        run
        AndyPagin