how-to block ads
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
|  Microsoft admits it knew of critical IE vulnerability in 08
Lengthy time gap 'not acceptable,' says analyst; workaround update set for Tuesday
By Gregg Keizer
July 9, 2009 10:25 PM ET
»www.computerworld.com/s/article/···09-07-10
Computerworld - Microsoft on Thursday confirmed it has known about a bug behind widespread Internet Explorer (IE) attacks for more than a year, but defended its security process against critics.
According to Mike Reavey, director of Microsoft's Security Response Center (MSRC), the company first got word of a critical flaw in an ActiveX control in early spring 2008. The bug can be exploited through IE6 and IE7 on Windows XP. Two researchers, Ryan Smith and Alex Wheeler, reported the bug to Microsoft when they worked together at IBM's ISS X-Force in 2007. Smith is now a vulnerability researcher at VeriSign iDefense, while Wheeler manages 3Com's TippingPoint DVLabs.
Although both Smith and Wheeler have declined to say when they reported to vulnerability, the bug's CVE (Common Vulnerabilities and Exposures) number pointed to an early 2008 reporting date.
The 16- to 18-month stretch between early 2008 and now is too long for Microsoft's customers to go without a patch, said John Pescatore, Gartner's primary security analyst. "That's just not an acceptable timeframe," Pescatore said. "It shouldn't take a year, not [for] a company the size of Microsoft.
"It's really hard to think of some technical reason why it would take 18 months. That means it must be for other reasons, business reasons or product reasons or priority reasons," he said. "But this had to have been pretty high-priority."
"We kicked off our investigation as soon as the vulnerability was reported to us," countered Reavey. "When a vulnerability is reported, we not only look at that, but also investigate other issues around it to provide as much protection as possible."
The 16- to 18-month time span, however, is certainly above average, Reavey agreed. "The timeline is not the norm," he said. "The vast majority of vulnerabilities are patched before there's ever an attack."
What, then, took so long?
Although Reavey declined to get specific today, Smith, one of the researchers who reported the vulnerability, hinted at reasons. "The nature of this flaw is sort of unique," he said. "The mechanics of this are sort of unique as well. It was those unique qualities that required more time than Microsoft would normally need."
Smith refused to criticize Microsoft for not patching sooner. "All along the way, they've told me how far things have progressed," he said of Microsoft's security team. "They would ping me every time they reached a milestone on the fix."
Even so, he admitted that patching quickly is better than fixing slowly. "As a security researcher, you always want to see a patch the day after you report a bug," Smith said.
In fact, Microsoft has not yet wrapped up work on a fix, Reavey acknowledged. "We'll release something that will block all known attacks next week," he said, referring to Tuesday, July 14, when Microsoft rolls out its monthly security updates. But it won't be a full-fledged patch.
Instead, next week's updates will set 45 "kill bits" in the Windows registry, disabling the ActiveX control. On Monday, Microsoft published a free tool that did the same thing, but the tool required someone to sit at each PC, browse to a support site, download the tool and then run it. "That just wasn't realistic for enterprises," said Gartner's Pescatore. "It was 'high touch,' and certainly not something that, say, Procter and Gamble could do."
Microsoft did consider issuing the "kill bit" update earlier as a protective measure, both Smith and Reavey said. "They did, but they wanted to deliver the best patch," said Smith.
Reavey gave essentially the same reason why Microsoft didn't take action earlier. "We always want to give customers a complete solution," Reavey said, alluding to a patch rather than the automated workaround it will issue next week. "If we had tried to do something earlier, it wouldn't have been as clean for customers."
He also denied that Microsoft had known that attacks were out and about last month, as others have claimed. IBM's X-Force, where Smith and Wheeler worked when they discovered the vulnerability, said Monday that attacks had been recorded as early as June 11.
"We were made aware of the attacks the day before we released the advisory," Reavey said, which would mean the company knew of attacks on July 5, nearly a month after IBM said attacks had started. "Once we saw the attacks, we took a look at the current status [of our work] and what's being attacked, [and] put things on a fast track."
On a Microsoft blog today announcing the security updates slated for release next week, an MSRC spokesman said, "...our engineering teams have been working around the clock to produce an update."
Microsoft also denied that vulnerability details had leaked to hackers at some point during the last 16-18 months, perhaps through the Microsoft Active Protection Program (MAPP), a program that gives security software companies early information on bugs. "Microsoft did not share any information with MAPP partners about the reported Video ActiveX Control vulnerability until immediately before the advisory posted," a company spokesman said today.
Hackers are exploiting the ActiveX vulnerability by getting users to visit malicious sites, or planting drive-by attack code on legitimate sites. The number of compromised sites serving up the malware to IE6 and IE7 users has skyrocketed, and number in the millions, according to ScanSafe.
At some point, Microsoft will release a true patch for the problem, Reavey said. He declined to say whether that patch would be delivered "out-of-cycle" -- outside the normal monthly update schedule -- when it is ready, however.
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»www.phishtank.com
»www.fraudwatchers.org
»mozilla.com
| |
Cabal
Premium
join:2007-01-21
Boston, MA | reply to antiphishing
Re: Microsoft admits it knew of critical IE vulnerability in 08
Not surprising, thanks for the heads up. | |
SUMware
Premium
join:2002-05-21
| reply to antiphishing
From PC Mag
07.10.09 - said by Larry Seltzer :
Lots of folks are becoming annoyed at the picture emerging of the DirectX vulnerability which went zero-day this week, and which Microsoft hopes to patch next week.
The problem is that Microsoft has stated that they became aware of the vulnerability in "the early Spring of 2008". Let's assume the earliest, which is March: that makes this bug about 18 months old. What's more, the report came from the IBM ISS X-Force, a very credible source. What could possibly justify such a lag in addressing the problem?
The bug was in one of a number of interfaces to Internet Explorer which, to their knowledge, had no known use. In fact, these interfaces were already disabled by design in Vista.
And it seems, from the way the announcements have been worded, that they weren't necessarily planning to include these fixes in this month's Patch Tuesday, but threw them in when the zero-day attacks hit.
Clearly Microsoft takes a long time to do these compatibility tests. This is understandable from their perspective, especially since they're dealing with older products.
But from the perspective of XP users, of whom there are zillions, it is unacceptable, and I think Microsoft took their eye off the ball here. If it's that much easier to issue patches for vulnerabilities than to disable them, then they should have issued patches and then gone on to the much longer process of disabling. Speed counts in this business.
| |
siljaline
mind that delimiter
Premium
join:2002-10-12
Montreal, QC | reply to antiphishing
Microsoft knew of nasty IE bug a year before attacks
»www.theregister.co.uk/2009/07/09···delayed/ | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
 ·Verizon Online DSL
| reply to antiphishing
Good job Microsoft... ignore a problem, dismiss public reports saying that's it's not being exploited like morons, and then wait for it to be exploited.
What I see here is their stupidity showing again, they have done this many times over during the years, ignored a problem, calling it 'working as intended', and then only patched it AFTER it was used to exploit people on a large scale.
Great job Microsoft... Way to prove to be a leader in the security field, MORONS!
I've reported similar things in the past to Microsoft, and got the "Working as intended" bullcrap, so I just stopped all official testing for them. Yes, more than one flaw I've found has become a exploit in their software, but they didn't want to listen when they could have fixed it before it was a major problem.
Microsoft does not have security in mind first.... As the maker of the most popular operating systems they better damn well change this.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
$125 per hour if you called tech support, and didn't fix the issue while making things worse | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by BlitzenZeus  :Good job Microsoft... ignore a problem, dismiss public reports saying that's it's not being exploited like morons, and then wait for it to be exploited. I don't think that's what happened here at all: there was apparently something specially funky about this particular bug that made it hard to fix, and though I'm really looking to find out what that special sauce is, I don't believe for one minute that Microsoft ignored anything.said by the article :
Smith refused to criticize Microsoft for not patching sooner. "All along the way, they've told me how far things have progressed," he said of Microsoft's security team. "They would ping me every time they reached a milestone on the fix." I'm willing to reserve judgement until I hear more, though I certainly agree that 18 months sounds outrageous. | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| This is off-topic, but merely an example of these so-called hard to fix bugs.
For those of you who remember Kerio 4.x before it was bought another company? Their beta versions had severe event logging problems, but they first ignored my reports of this, then said their engine couldn't be easily fixed without a larger rewrite. They released the software with this problem, and charged for it. Needless to say Kerio 4.x didn't do well... They finally fixed the logging issues many versions later, but by this time people realized they were full of bullcrap, along with released beta quality software with some severe known issues.
I believe they ignored it, it was not the first time they ignored problems like this, and sadly it likely won't be the last.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
$125 per hour if you called tech support, and didn't fix the issue while making things worse | |
SUMware
Premium
join:2002-05-21
1 edit | reply to antiphishing
Cyber Secure Institute Criticizes MS's "Hack-and-Patch" Strategy
From TG Daily
July 08, 2009 - quote:
CSI criticizes Microsoft's hack-and-patch strategy
The Cyber Secure Institute (CSI) has criticized Microsoft's current "hack-and-patch" strategy.
"We have to break this cycle. We have to stop relying on the old hack-and-patch. We need to focus on deploying new technologies that are inherently secure—technologies that are, in fact, certified secure against the types of threats we face today," CSI executive director Rob Housman told TG Daily.
Indeed, Microsoft's latest Video ActiveX Control security advisory (972890) did not even include an update or patch.
"That Microsoft would go out with this vulnerability even without an update shows the high degree of risk here. Moreover, it shows the overall level of vulnerability inherent in today's IT environment," explained Housman. "I hope to be proven wrong, but Windows 7 probably won't offer any serious security improvements."
According to Housman, security requirements are often ignored during the design of a new system.
"This approach - where security is essentially bolted on - is destined to fail. It forces administrators to build a wall around an inherently insecure system. However, as in real life, people can go around, over and under a wall."
From Examiner
July 9, 2009 - said by Michael Kassner :
Microsoft acknowledged this latest ActiveX bug a year ago, so why isn't it fixed
Well, Microsoft did it again; they ignored a researcher’s warning, leaving them in hurry-up mode, trying to fix an Internet Explorer exploit that’s gone zero-day.
You may wonder why I’m rehashing this vulnerability. That’s a valid question. In explanation, I thought everyone would like to know that once again Microsoft has chosen to disregard warnings by well-known security research teams. This vulnerability was reported a year ago and I submit CVE-2008-0015 as proof that Microsoft acknowledged the bug in 2008.
I say “once again” as this same scenario happened not that long ago with a different vulnerability that was exploited by the Conficker worm. Microsoft eventually released an out-of-sequence patch for it. Even so, the bad guys have had little trouble creating a botnet consisting of millions of Conficker-infected computers that are sending billions of spam e-mail messages out each day.
I chronicled that effort in several articles, here are two of them: MS08-067: Not updating has created a monster botnet and Conficker.C: April Fools or maybe not.
The security analysts who raised the alarm about the new ActiveX vulnerability are more concerned about this zero-day exploit than Conficker. They feel it has the potential to out-perform Conficker, which is not a good thing. I guess only time will tell. Hopefully, Microsoft will have a permanent fix ready for next Tuesday which is their regularly scheduled patch day.
[some emphasis added] | |
Khaine
join:2003-03-03
Australia
| reply to Steve
Re: Microsoft admits it knew of critical IE vulnerability in 08
said by Steve :said by BlitzenZeus :Good job Microsoft... ignore a problem, dismiss public reports saying that's it's not being exploited like morons, and then wait for it to be exploited. I don't think that's what happened here at all: there was apparently something specially funky about this particular bug that made it hard to fix, and though I'm really looking to find out what that special sauce is, I don't believe for one minute that Microsoft ignored anything. said by the article :
Smith refused to criticize Microsoft for not patching sooner. "All along the way, they've told me how far things have progressed," he said of Microsoft's security team. "They would ping me every time they reached a milestone on the fix." I'm willing to reserve judgement until I hear more, though I certainly agree that 18 months sounds outrageous. While I think that you are right, that Microsoft were struggling to fix it I feel as a user I should be made aware of risks I face and what I can do to mitigate them. Microsoft can do this without disclosing the technical details. | |
-
|
