Last month, when Google researcher Tavis Ormandy released details on a critical Help and Support Center vulnerability that exposed Windows XP and Windows Server 2003 users to malicious hacker attacks, Microsoft was publicly unhappy with the decision.
Ormandy claims he spent five days negotiating with Microsoft for a 60-day patch window and decided to go public only when the company could not provide him with confirmation that it would issue a prompt fix.
Now, just 33 days later, Microsoft has shipped MS10-042 as a “critical” bulletin to cover the hole which has already led to in-the-wild malware attacks.
Ormandy’s decision to go public caused quite a stir and remains a he-said, she-said problem that could have been avoided with better communication between the two sides.
For the record, Microsoft says it never failed to give Ormandy a 60-day patch window. Jerry Bryant, a spokesman for Microsoft’s security response team, told me his team communicated to Ormandy on Monday June 7th that it was investigating the issue and would not be able to discuss a release timeline until the end of the week.
“We were surprised when it was released publicly on June 9,” Bryant declared.
He said Microsoft was in the “early phases of investigation” when details were publicly released.
The fact that Microsoft pushed out a fix in just 33 days — much shorter than the average time it takes to issue a fix for a Windows vulnerability — is a boost to full-disclosure advocates who argue that Ormandy’s actions actually helped to secure the ecosystem.
However, Microsoft’s Bryant said the company was originally targeting an August release but accelerated efforts based on attacks impacting Windows XP customers. “The fact that this vulnerability only affects two versions of windows allowed us to accelerate testing and release this in July,” he added.
It’s clear that wires between Microsoft and Ormandy got crossed, leading to an utterly avoidable situation. Clearly there is need for an investigation at Microsoft to put some plasters on the cracks there.
I’ve been involved in disclosing a critical vulnerability to Microsoft that I know first-hand that the process is not very smooth. The company puts a lot of the onus on researchers to prove exploitability and turn over more information than is required. In my experience, they also went back on promises and upset the researcher (I was simply a broker helping to get the bug fixed) several times.
After all these years, Bryant and his team should have a smooth process that includes clear and proper communications to everyone involved. Microsoft doesn’t pay for vulnerabilities, instead offering an easy-to-miss credit line in its bulletings. The least they could do is make researchers feel like the the assets they are.
Now for the details on this month’s Patch Tuesday bundle:
MS10-042 (Critical): Vulnerability in Help and Support Center
This security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must click a link listed within an e-mail message.
MS10-043 (Critical) Vulnerability in Canonical Display Driver
This security update resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart.
MS10-044 (Critical) Vulnerabilities in Microsoft Office Access ActiveX Controls
This security update resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. The vulnerabilities could allow remote code execution if a user opened a specially crafted Office file or viewed a Web page that instantiated Access ActiveX controls. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
MS10-045 (Important) Vulnerability in Microsoft Office Outlook
This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user opened an attachment in a specially crafted e-mail message using an affected version of Microsoft Office Outlook. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.