The Microsoft OWC two-year vulnerability patch
- Date: August 15th, 2009
- Author: Chad Perrin
- Category: Application Security, News, Security, patching, vulnerability
- Tags: Vulnerability, Microsoft Corp., Zero Day Initiative Policy, Security, Patches, Chad Perrin
For two years, Microsoft put off patching a critical vulnerability. That all changed in July.
—————————————————————————————
In March 2007, Peter Vreugdenhil discovered an arbitrary code execution vulnerability in Microsoft’s Office Web Components. As the Zero Day Initiative (ZDI) reported to Microsoft at the time, an exploit involving maliciously crafted parameters when calling msDataSourceObject() could induce memory management errors that could be used to execute malicious code.
According to ZDI manager Pedram Amini, Microsoft “kept finding the need for more time to ensure the issue was completely addressed,” and thus never produced a patch or issued an advisory to users. ZDI policy is to allow vendors as much time as they feel necessary to produce patches for security vulnerabilities.
In July this year, however, it became evident that this vulnerability was being exploited by malicious security crackers, putting Office Web Components users at risk. Microsoft issued a security advisory at that time and, within a month, released a patch as part of security update MS09-043.
The timeline for these events, starting with the original discovery of the vulnerability, has finally been made available after Microsoft distributed the patch in Advisory ZDI-09-054.
As explained in “There’s more to security than counting vulnerabilities” and demonstrated by “Vulnerability counting revisited: a hypothetical example,” the way a software vendor handles vulnerability patching is a far more relevant measure of security than mere publicly reported vulnerability counts. This incident may not have been as egregious a delay in patch development as the eight-year bug, but it serves as an excellent example of both how poor vulnerability management can be one of the worst security problems a piece of software has and of how we shouldn’t handle security notifications.
Knowledge of a vulnerability before a patch is ready can help us deal with vulnerabilities while we wait for the patch, and knowing that revelation of a vulnerability is imminent can put pressure on a software vendor to develop a patch in a timely fashion. Left to its own devices, and trusted to deal with a vulnerability in its own time, it is evident that a vendor like Microsoft will fail to live up to that trust.
If you bought the message of Anti-sec’s manifesto — that disclosure of vulnerabilities is dangerous and should be stopped — this incident may help convince you that’s not the whole story.
Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools. Read his full bio and profile.
Print/View all Posts Comments on this blog
Microsoft has been slow to respond on a number of occasions
Sterling "Chip" Camden | 08/15/09
|
One would think so.
apotheon | 08/16/09
|
Fortunately for real businesses...
Marty R. Milette | 08/19/09
|
nope
apotheon | 08/19/09
|
|
If it takes them many months or a few years to put out a
Deadly Ernest | 08/19/09
|
|
. . . and then:
apotheon | 08/19/09
|
|
Done quick or slow, their patches are shoddy anyway - nt
Deadly Ernest | 08/19/09
|
|
As a matter of fact
Sterling "Chip" Camden | 08/19/09
|
|
Getting MS to fix something in a timely manner
jck | 08/17/09
|
|
Most have Unix/Linux Internet Gateways to stop that - nt
Deadly Ernest | 08/17/09
|
|
OWCh!
seanferd | 08/15/09
|
|
Wait, let me get this straight . . .
apotheon | 08/16/09
|
|
I think that is what I meant.
seanferd | 08/16/09
|
