MS Patch Tuesday: Googler zero-day fixed in 33 days
Summary: Microsoft ships a fix for Tavis Ormandy's Windows zero-day flaw in just 33 days. Could the disclosure controversy been avoided with better communication?
Last month, When Google researcher Tavis Ormandy released details on a critical Help and Support Center vulnerability that exposed Windows XP and Windows Server 2003 users to malicious hacker attacks, Microsoft was publicly unhappy with the decision.
Ormandy claims he spent five days negotiating with Microsoft for a 60-day patch window and decided to go public only when the company could not provide him with confirmation that it would issue a prompt fix.
Now, just 33 days later, Microsoft has shipped MS10-042 as a "critical" bulletin to cover the hole which has already led to in-the-wild malware attacks.
Ormandy's decision to go public caused quite a stir and remains a he-said, she-said problem that could have been avoided with better communication between the two sides.
For the record, Microsoft says it never failed to give Ormandy a 60-day patch window. Jerry Bryant, a spokesman for Microsoft's security response team, told me his team communicated to Ormandy on Monday June 7th that it was investigating the issue and would not be able to discuss a release timeline until the end of the week.
"We were surprised when it was released publicly on June 9," Bryant declared.
He said Microsoft was in the "early phases of investigation" when details were publicly released.
The fact that Microsoft pushed out a fix in just 33 days -- much shorter than the average time it takes to issue a fix for a Windows vulnerability -- is a boost to full-disclosure advocates who argue that Ormandy's actions actually helped to secure the ecosystem.
SEE: Defenders of the faith (Tavis acted responsibly)
However, Microsoft's Bryant said the company was originally targeting an August release but accelerated efforts based on attacks impacting Windows XP customers. "The fact that this vulnerability only affects two versions of windows allowed us to accelerate testing and release this in July," he added.It's clear that wires between Microsoft and Ormandy got crossed, leading to an utterly avoidable situation. Clearly there is need for an investigation at Microsoft to put some plasters on the cracks there.
I've been involved in disclosing a critical vulnerability to Microsoft that I know first-hand that the process is not very smooth. The company puts a lot of the onus on researchers to prove exploitability and turn over more information than is required. In my experience, they also went back on promises and upset the researcher (I was simply a broker helping to get the bug fixed) several times.
After all these years, Bryant and his team should have a smooth process that includes clear and proper communications to everyone involved. Microsoft doesn't pay for vulnerabilities, instead offering an easy-to-miss credit line in its bulletings. The least they could do is make researchers feel like the the assets they are.
Now for the details on this month's Patch Tuesday bundle:
MS10-042 (Critical): Vulnerability in Help and Support Center
This security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must click a link listed within an e-mail message.
MS10-043 (Critical) Vulnerability in Canonical Display Driver
This security update resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart.
MS10-044 (Critical) Vulnerabilities in Microsoft Office Access ActiveX Controls
This security update resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. The vulnerabilities could allow remote code execution if a user opened a specially crafted Office file or viewed a Web page that instantiated Access ActiveX controls. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
MS10-045 (Important) Vulnerability in Microsoft Office Outlook
This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user opened an attachment in a specially crafted e-mail message using an affected version of Microsoft Office Outlook. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Which is exactly why Microsoft should not have released it.
At least not until 60 days had passed. By doing so Ormandy and his band of vigilantes will continue to put users at risk with their tempertantrums.
RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days
Well said. Now we can expect more code to just go open in the wild and cause headaches. There wouldn't be a problem if Ormandy just kept his mouth shut and continued to work with Microsoft on this issue. The guy should have gotten fired a long time ago.
RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days
Wrong. MS displayed typical large-corporation bureaucratic incompetence so Ormandy went another direction. That MS doesn't even pay for the kind of help Ormandy tried to provide is a disgrace.
Ormandy's actions tell all we need to know.
He is acting like a child who doesn't get his way.
RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days
RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days
I don't support anyone's tempertantrums. I expect people to be adults.
Edit: [i]I suppose that you also believe that the researcher that reported on the electrical flaw in Toyota cars rather than just pass it to Toyota and leave it alone was irresponsible.[/i]
Funny you should mention this:
"Report: Toyota crash data suggests driver error"
http://www.msnbc.msn.com/id/38231384/ns/business-autos/
RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days
Funny you should mention this:
"Report: Toyota crash data suggests driver error"
Exactly what I was saying, that releasing such information always has a risk (in this case fraudulent opportunists) but it also mitigates the risk to owners when they are aware of the risk.
The risk of users being open to attacks was there whether the vulnerability was revealed or not. Revealing it did, no doubt, open the awareness of more crackers than not exposing it, but this does not mean that exploits were not already being created by a smaller group anyways. Raising public awareness to any issue can always poses some risks but it also allows the public to protect themselves as much as possible. Good for MS that they reacted pretty rapidly but if they didnt meet a timeline to protect its consumers, then the consumers should have the right to knowledge that allows them to reduce/mitigate/transfer the risk themselves. Not that I believe that there should not be a more standard way of doing things, a metaphor comparing the googler to a terrorist is extreme and as appropriate as comparing someone to Hitler because he supports the republican party or Stalin because he supports the democrats. There are common general ideals but such a comparison goes into extremism.
It was a fitting metaphor.
RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days
It's like saying that your view is promoting a totalitarian state.
You'll have to do better than that.
RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days
I find it funny that you feel that way. If it was any other company, you?d be cheering the researcher. Since it your religion that is flawed, you claim the researcher is now some sort of tantrum throwing vigilante? You windows zealots are a funny bunch.
Do you have any data to support this erroneous conclusion?
It's wrong regardless if it is Microsoft, Apple, or Linux.
[i]Since it your religion that is flawed, you claim the researcher is now some sort of tantrum throwing vigilante? You windows zealots are a funny bunch.[/i]
More erroneous conclusions. As an FYI I just purchased a new MacBook Pro this weekend. $999 at MicroCenter. Sold my 2nd generation BlackBook.
Do you ever tire of being wrong? Or has it become a part of you that you no longer notice?
RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days
RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days
Then it's great Windows provides this.
RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days
RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days
Are you implying that without Windows there'd be no malware at all? Considering that the first worm ever targeted UNIX systems and the fact that there are examples of Malware for every platform of note, this is an extremely dangerous falsehood to be spreading.
There is not an OS or platform in existence that anyone should ever trust to be secure. That's like building a fence and not expecting there to ever be any problems with it keeping people out. Security is a process, not a product.
RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days
RE: MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days
I'll give you a hand to get started..
10 print "Hello World"
run