Security Hero Rotating Header Image

MSFT’s version of responsible disclosure , (Tue, May 12th)

MSFT’s version of responsible disclosure , (Tue, May 12th)

Microsoft is the one big company screaming loudest of all over responsible disclosure.
They want an infinite amount to time to release their patches before those who found the problem are allowed to publish (but they can publish the second after Microsoft released the patch, all is fine for Microsoft (well, for their customer it’s a bit of a different matter of course). Of course attackers couldn’t care less about disclosure, and even some vulnerability researchers don’t care for the credit line that Microsoft offers, nor the brand irresponsible it might earn them.
Still a policy typically cuts both ways: you need to obey the rules yourself just as well as all the others.
So let’s have a look at MS09-017:

An unprecedented bunch of CVEs fixed.
Vulnerabilities in Office 2004 and 2008
Vulnerabilities in Works 8.5 and 9.0
No fixes for Office 2004, Office 2008, Works 8.5 nor Works 9.0

We all know from past experience the reverse engineering of patches back into exploits starts at the time -if not before- the patches are released. Typically it takes between hours and a day or so to complete this if it’s easy to exploit (actually the new Microsoft rating of exploitability points out they are pretty easy).
So in the end Microsoft just released what hackers need to attack:

CVE-2009-0224 on Office 2004, Office 2008, XML convertor tools on mac, works 8.5 and works 9.0, as according to Microsoft themselves this CVE was not publicly known.
CVE-2009-0556 on Office 2004 (this one was publicly known and used), just the attack against the old software on mac might be news to some, still no patch available.
CVE-2009-1130 on Office 2004, as according to Microsoft themselves this vulnerability was not publicly known.

So what do you think of Microsoft and their responsible behavior in releasing MS09-017 as it was done?

You can use the poll …

Leave a Reply

Your email address will not be published. Required fields are marked *