Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - MSFT's version of responsible disclosure InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MSFT's version of responsible disclosure

Published: 2009-05-12
Last Updated: 2009-05-12 20:22:19 UTC
by Swa Frantzen (Version: 3)
0 comment(s)

Microsoft is the one big company screaming loudest of all over "responsible disclosure".

They want an unlimited amount to time to release their patches before those who found the problem are allowed to publish (but they can publish the second after Microsoft released the patch, all is fine for Microsoft (well, for their customer it's a bit of a different matter of course). Of course attackers couldn't care less about disclosure, and even some vulnerability researchers don't care for the credit line that Microsoft offers, nor the brand "irresponsible" it might earn them.

Still a policy typically cuts both ways: you need to obey the rules yourself just as well as demand it from all others involved.

So, let's have a look at MS09-017:

  • An unprecedented number of CVEs fixed in one patch.
  • Vulnerabilities in Office 2004 and 2008
  • Vulnerabilities in Works 8.5 and 9.0
  • No fixes available for Office 2004, Office 2008, Works 8.5 nor Works 9.0

We all know from past experience the reverse engineering of patches back into exploits starts at the time -if not before- the patches are released. Typically it takes between hours and a few days or so to complete this if it's easy to exploit (actually the new Microsoft rating of exploitability points out they are pretty easy).

So in the end Microsoft just released what hackers need to attack:

  • CVE-2009-0224 on Office 2004, Office 2008, XML convertor tools on mac, works 8.5 and works 9.0, as according to Microsoft themselves this vulnerability was not publicly known.
  • CVE-2009-0556 on Office 2004 (this one was publicly known and used), just the attack against the old software on mac might be news to some, still no patch available.
  • CVE-2009-1130 on Office 2004, as according to Microsoft themselves this vulnerability was not publicly known.

Microsoft's note in the FAQ section of MS09-017:

I am running Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, Open XML File Format Converter for Mac, Microsoft Works 8.5, or Microsoft Works 9.0. Why are updates not available for these software?
Microsoft is able to release this current update because we have updates ready on the regular bulletin release cycle for an entire product line to address the vast majority of customers at risk. We are aware of active exploitation on versions of Microsoft Office PowerPoint running on Windows operating systems. The updates for Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, Open XML File Format Converter for Mac, Microsoft Works 8.5, Microsoft Works 9.0 are still in development. Microsoft will issue updates on the regular bulletin release cycle for these product lines when testing is complete to ensure quality.

So what do you think of Microsoft and their "responsible" behavior in releasing MS09-017 as it was done?

You can use the poll or for the finer nuances you can use the contact form for valid alternatives you would have used instead of the way Microsoft did this. We'll summarize those.

--
Swa Frantzen -- Section 66

0 comment(s)
Diary Archives