(No Ratings Yet)

Loading...

• Facebook
• Twitter
• LinkedIn
• Mail

November 4, 2016 Comments closed

Windows Vulnerability Made Public Before Patch is Released

in Industry Lowdown

The debate over responsible disclosure continues…

Google is in the news again for publically releasing details about a security vulnerability in Windows. A vulnerability which it knew was actively being used to attack users.

Doesn’t sound like a big deal right?

Well, the problem was that, in the interest of responsible disclosure, Google didn’t wait for Microsoft to release a patch.

Google published its findings on the 31^st of October. Its post outlined two different vulnerabilities – one that affected Adobe Flash, in addition to the one affecting Windows. These two vulnerabilities were being used together to gain access to users’ PCs.

It’s Google’s policy to publicly disclose vulnerabilities within 7 days of discovery if they are being actively exploited. Adobe had time to release a patch within the 7-day period, but Microsoft won’t have a patch available until November 8^th.

Users who update Flash should be protected, since both vulnerabilities needed to exist for the specific exploit to be successful. But that has done little to quell Microsoft’s anger.

In a statement from Microsoft, Terry Myerson, the Executive Vice President of the Windows and Devices Group said “responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.”

But are users really at increased risk? Who exactly did Google put in harm’s way by disclosing the vulnerability before a patch was available?

These are all questions that the security community asks every time a vulnerability is found, and it’s very much an open debate.

Earlier this week we were talking about Google’s Project Zero, another taskforce-of-sorts within Google that looks for zero-day vulnerabilities. Project Zero publicly disclosed a vulnerability in Apple’s macOS and iOS a day after Apple released a patch for it. This was after granting Apple an extension to its 90-day disclosure policy, which as the name applies, gives vendors 90 days to patch the vulnerability before its made public. Apple would have missed that deadline by weeks.

In that case, Google’s Project Zero felt it was okay to grant an extension because it did not have evidence that the vulnerability was actively being used.

These two vulnerabilities, Apple’s and Microsoft’s, were also found by two entirely separate departments within Google. So these decisions were made by different people.

In a case like this Windows vulnerability, where it’s known to be actively exploited, there is more pressure to publicly disclose it as soon as possible so that potential targets can be aware of the risk. After all, you can’t protect yourself if you don’t know how, or by whom you are being attacked.

But those who criticize this position say that public disclosure is akin to putting weapons into more hands, especially when a working proof-of-concept (an industry term that refers to a working exploit that uses the vulnerability) accompanies the disclosure.

Fortunately, we can do more than just speculate about potential danger. Looking at how these vulnerabilities are used in the real-world can give us a better understanding of the risks involved with different types of disclosure.

The group exploiting this new pair of vulnerabilities is known by many names – including APT28 and Fancy Bear. But we are going to refer to them as STRONTIUM, which is how Microsoft refers to them.

STRONTIUM is also behind the breach of multiple American politics groups and figures including the Democratic National Committee and former Secretary of State Colin Powell. In fact, “Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016.”

Groups that want to use zero-days can either purchase them – security firms will run “bounties” for zero-days that affect popular platforms and pay upwards of a million dollars for a single one – or try to discover them on their own, which can take hundreds of hours of research. Either method is extremely expensive.

Like other expensive weapons, hacking groups use zero-days sparingly. The more a vulnerability is used, the more likely someone will notice. No one is trying to phish grandma with a zero-day Flash exploit. It’s wasting a big bomb on a small target. National governments are one of the biggest purchasers of zero-days and they usually use them to attack pre-determined targets, usually political enemies/activists.

That was the case earlier this year when a series of iPhone zero-days were used by the UAE government against a human rights activist. It also seems to be the case here – STRONTIUM, the only group known to be using these vulnerabilities in an attack – “will persistently pursue specific targets for months until it is successful in compromising the victims’ computer,” according to Microsoft. Its past attacks have shown it is after specific targets, not just trying to ensnare as many users as it can.

It’s hard to know for sure, but I think there is reason to believe that new attacks won’t be launched as a result of this public disclosure. In fact, the increased publicity often pushes the vendor to patch rather quickly, so attackers know that they have a very small window to craft an exploit and use it. Like anyone else, they don’t like to waste their effort.

What is clear is that there are a range of situations that require different responses, there just isn’t any consensus on what that response should be. Like most ideological matters, there will likely always be multiple views on what’s right.

• #Google
• #Microsoft
• #responsible disclosure
• #STRONTIUM
• #Vulnerability
• #Windows
• #zero-days