Last Updated: 2009-05-12 20:22:19 UTC
by Swa Frantzen (Version: 3)
Microsoft is the one big company screaming loudest of all over "responsible disclosure".
They want an unlimited amount to time to release their patches before those who found the problem are allowed to publish (but they can publish the second after Microsoft released the patch, all is fine for Microsoft (well, for their customer it's a bit of a different matter of course). Of course attackers couldn't care less about disclosure, and even some vulnerability researchers don't care for the credit line that Microsoft offers, nor the brand "irresponsible" it might earn them.
Still a policy typically cuts both ways: you need to obey the rules yourself just as well as demand it from all others involved.
So, let's have a look at MS09-017:
- An unprecedented number of CVEs fixed in one patch.
- Vulnerabilities in Office 2004 and 2008
- Vulnerabilities in Works 8.5 and 9.0
- No fixes available for Office 2004, Office 2008, Works 8.5 nor Works 9.0
We all know from past experience the reverse engineering of patches back into exploits starts at the time -if not before- the patches are released. Typically it takes between hours and a few days or so to complete this if it's easy to exploit (actually the new Microsoft rating of exploitability points out they are pretty easy).
So in the end Microsoft just released what hackers need to attack:
- CVE-2009-0224 on Office 2004, Office 2008, XML convertor tools on mac, works 8.5 and works 9.0, as according to Microsoft themselves this vulnerability was not publicly known.
- CVE-2009-0556 on Office 2004 (this one was publicly known and used), just the attack against the old software on mac might be news to some, still no patch available.
- CVE-2009-1130 on Office 2004, as according to Microsoft themselves this vulnerability was not publicly known.
Microsoft's note in the FAQ section of MS09-017:
So what do you think of Microsoft and their "responsible" behavior in releasing MS09-017 as it was done?
Swa Frantzen -- Section 66