For two years, Microsoft put off patching a critical vulnerability. That all changed in July. Chad Perrin looks at vulnerability management and how it doesn't always work out in the best interests of users.
In March 2007, Peter Vreugdenhil discovered an arbitrary code execution vulnerability in Microsoft's Office Web Components. As the Zero Day Initiative (ZDI) reported to Microsoft at the time, an exploit involving maliciously crafted parameters when calling
msDataSourceObject() could induce memory management errors that could be used to execute malicious code.
According to ZDI manager Pedram Amini, Microsoft "kept finding the need for more time to ensure the issue was completely addressed," and thus never produced a patch or issued an advisory to users. ZDI policy is to allow vendors as much time as they feel necessary to produce patches for security vulnerabilities.
In July this year, however, it became evident that this vulnerability was being exploited by malicious security crackers, putting Office Web Components users at risk. Microsoft issued a security advisory at that time and, within a month, released a patch as part of security update MS09-043.
The timeline for these events, starting with the original discovery of the vulnerability, has finally been made available after Microsoft distributed the patch in Advisory ZDI-09-054.
As explained in "There's more to security than counting vulnerabilities" and demonstrated by "Vulnerability counting revisited: a hypothetical example," the way a software vendor handles vulnerability patching is a far more relevant measure of security than mere publicly reported vulnerability counts. This incident may not have been as egregious a delay in patch development as the eight-year bug, but it serves as an excellent example of both how poor vulnerability management can be one of the worst security problems a piece of software has and of how we shouldn't handle security notifications.
Knowledge of a vulnerability before a patch is ready can help us deal with vulnerabilities while we wait for the patch, and knowing that revelation of a vulnerability is imminent can put pressure on a software vendor to develop a patch in a timely fashion. Left to its own devices, and trusted to deal with a vulnerability in its own time, it is evident that a vendor like Microsoft will fail to live up to that trust.
If you bought the message of Anti-sec's manifesto — that disclosure of vulnerabilities is dangerous and should be stopped — this incident may help convince you that's not the whole story.