MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days

Last month, when Google researcher Tavis Ormandy released details on a critical Help and Support Center vulnerability that exposed Windows XP and Windows Server 2003 users to malicious hacker attacks, Microsoft was publicly unhappy with the decision.

Last month, when Google researcher Tavis Ormandy released details on a critical Help and Support Center vulnerability that exposed Windows XP and Windows Server 2003 users to malicious hacker attacks, Microsoft was publicly unhappy with the decision.

Ormandy claims he spent five days negotiating with Microsoft for a 60-day patch window and decided to go public only when the company could not provide him with confirmation that it would issue a prompt fix.

Now, just 33 days later, Microsoft has shipped MS10-042 as a “critical” bulletin to cover the hole which has already led to in-the-wild malware attacks.

Ormandy’s decision to go public caused quite a stir and remains a he-said, she-said problem that could have been avoided with better communication between the two sides.

For the record, Microsoft says it never failed to give Ormandy a 60-day patch window.  Jerry Bryant, a spokesman for Microsoft’s security response team, told me his team communicated to Ormandy on Monday June 7th that it was investigating the issue and would not be able to discuss a release timeline until the end of the week.

“We were surprised when it was released publicly on June 9,” Bryant declared.

He said Microsoft was in the “early phases of investigation” when details were publicly released. 

The fact that Microsoft pushed out a fix in just 33 days — much shorter than the average time it takes to issue a fix for a Windows vulnerability — is a boost to full-disclosure advocates who argue that Ormandy’s actions actually helped to secure the ecosystem.

However, Microsoft’s Bryant said the company was originally targeting an August release but accelerated  efforts based on attacks impacting Windows XP customers.  “The fact that this vulnerability only affects two versions of windows allowed us to accelerate testing and release this in July,” he added.

It’s clear that wires between Microsoft and Ormandy got crossed, leading to an utterly avoidable situation.  Clearly there is need for an investigation at Microsoft to put some plasters on the cracks there. 

I’ve been involved in disclosing a critical vulnerability to Microsoft that I know first-hand that the process is not very smooth.  The company puts a lot of the onus on researchers to prove exploitability and turn over more information than is required.  In my experience, they also went back on promises and upset the researcher (I was simply a broker helping to get the bug fixed) several times.

After all these years, Bryant and his team should have a smooth process that includes clear and proper communications to everyone involved.  Microsoft doesn’t pay for vulnerabilities, instead offering an easy-to-miss credit line in its bulletings.  The least they could do is make researchers feel like the the assets they are.

Now for the details on this month’s Patch Tuesday bundle:

MS10-042 (Critical): Vulnerability in Help and Support Center

This security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must click a link listed within an e-mail message. 

MS10-043 (Critical) Vulnerability in Canonical Display Driver

This security update resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart.

MS10-044 (Critical) Vulnerabilities in Microsoft Office Access ActiveX Controls

This security update resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. The vulnerabilities could allow remote code execution if a user opened a specially crafted Office file or viewed a Web page that instantiated Access ActiveX controls. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.  

[block:block=47]

MS10-045 (Important) Vulnerability in Microsoft Office Outlook

This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user opened an attachment in a specially crafted e-mail message using an affected version of Microsoft Office Outlook. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Suggested articles

Discussion

  • Anonymous on

    I should thank Mr. Tavis Ormandy for his actions.  Thanks to this idiot, we had to go around checking over 400 computers and have our only two techs run all over our eight divisions.

    From our point of view, this is what we see here:

    Mr. Tavis Ormandy does not know that testing and researching a problem of this kind takes time.  Designing and testing the software also takes time -- and believe me I am not on Microsoft's side.

    Getting the patch out of the door bug free also takes time but I am assuming that Mr. Tavis Ormandy knows all this because he is the one that made the decision.

    We think that he should pay for some of the damages caused by his so-called decision.  He should also pay for the time we had to spend taking care of the problem that he created.

     

    But then again nothing is going to get done about this,

    MC

  • Steve on

    I'm sorry, but it seems to me you're whining for doing the job you're getting paid to do, MC...

  • Anonymous on

    MC,

    You should have WSUS installed. That is just a plain foolish post!

     

  • Todd on

    Last I knew it wasn't him who "created" the problem as you state. Google, nor this guy, work for MS and the hole was in MS OS, not a Google product. Just because he let the proverbial cat out of the bag doesn't mean, by any stretch of the imagination that "evil-doers" weren't already capitalizing on this hole.

    What Mr. Anonymous said is 100% correct. If you're not using WSUS in an environment of over 400 system, then you're a fool and most likely behind a world of updates anyway.

  • EA on

    MC the only 'idiot' is you, twice!  I agree with all comments above and you should be sanctioned for paying two tech's to run around like headless chickens fixing what you should have been prepared for.

    Oh and the second point is admitting publically that you are the idiot, I commend Tavis for doing what he felt had to be done.

  • Shane Cauley Cheyenne on

    It seems he went public for his own gain. 

     

    Shane Cauley Wyoming

  • Quackers Web on

    To misquote the latest GEICO ad "[MC] is a jack wagon from namby-pamby land!" 

    Hand updating 400 workstations sounds like government work (where it can be required to update every Windows PC by hand - and believe you me - been there - done that - way too many times - with multiple filed change requests against the mandated system management protocol) - BUT complaining about a Googler's early disclosure forcing the RAPID fixing of a Microsoft Windows security hole?

    That strikes me as a false note:  That is definitely the wrong kind of government system management attitude - similar to what a military sentry might say to his Lt. after being woken from sleep on the job with his fully loaded M-16 propped up against the wide open main gate.

    Googler should be praised because all security disclosures lead to transparency - and the exposure of ugly security holes is a necessary business of state, where transparency should not just be in the eye of the potential opponent who developed the hole in the first place.

    Which, unfortunately, Microsoft has never appreciated since they make money the old fashioned IT way - invoicing for thousands of government change orders - delivered with their recommended system management protocols - which usually don't work in emergencies - at least, not without paid on-call, triple overtime, secure support consultants.

    Hint to MC - Take this back up with the original authors of this Windows mess in Redmond, their many Chinese developers, and the many pork-subsidized GAO-approved system integration contractors.

    OR - learn FreeVMS system management and join the Tea Party to help reduce government spending by deploying manageable secure systems from the get-go.

    We have to choose:

    Government by FUBAR-ware and corrupt foreign developer contracts with megabuck kick-backs?

    Or government by the free and Open Source?

    Think about it ...

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.