Since last Patch Tuesday a number of zero day vulnerabilities with Excel have been reported for which there is no patch available and at least one of these vulnerabilities is being exploited against companies in malicious attacks.
This raises a number of interesting issues:
- How do you mitigate the risk of zero day vulnerabilities?
- Will these zero day vulnerabilities effect your anti-malware product selection now that Microsoft is in the anti-malware game?
- Motive and ethics regarding vulnerabilities reported by “security researchers”.
Have you updated Outlook Web Access?
If you missed my blog from earlier this month, be aware that SEC Consult, the company that discovered the vulnerability in Outlook Web Access announced this past Patch Tuesday, has said they will release the exploit details of the vulnerability today after having given you 2 weeks to install the patch. For more details see my blog (See my blog “You’ve got 2 weeks to patch Outlook Web Access”). If you missed this earlier, subscribe to the RSS feed and stay up-to-date with important updates I post between newsletters.
How do you mitigate the risk of zero day vulnerabilities?
When a zero-day vulnerability is made public regarding a given file format (such as Excel and Word in recent weeks) there’s limited options until the patch is released which may be as much as a month.
- 1) Try to disable the file type from being downloaded or emailed into your network.
- 2) Implement a workaround described by the vendor
- 3) Update your anti-malware as soon as its vendor develops a signature update
The problem with option 1 is that blocking by file extension is easy to circumvent. The flow of business would be severely impaired if we blocked such a common file format like Excel and I as I like to say, “We’re in business to do business not to be secure.”
The problem with option 2 that I’ve seen over the past 2 months is that Microsoft gives the bare details on some workarounds that might be applicable in some environments but doesn’t provide any assistance on how to actually deploy the workaround using automated means such as group policy. Most organizations lack the time or skill to write scripts to do this. If Microsoft takes the time to test a workaround, making the additional investment to publish a sample script or group policy administrative template that implements the workaround would enable many more organizations to actually use the workaround and thus protect their businesses.
Will these zero day vulnerabilities effect your anti-malware product selection now that Microsoft is in the anti-malware game?
It is interesting to note that with last month’s zero-day vulnerability in Word, Microsoft noted in a blog posting that their Live OneCare service had already been updated to detect and remove the vulnerability. I also note that in these recent advisories Microsoft mentions that they are sharing information with their anti-virus partners to help them develop updates to their detection engines.
Why might these facts influence your selection of anti-malware solutions in the future? Because anti-malware is currently the most effective defense against these file type based zero-day exploits and because with zero-day exploits, time is of the essence. It will pay in coming weeks to watch and compare how quickly anti-malware vendors develop and release updates. Will or do Microsoft partners succeed in getting their patches out sooner? Will Microsoft Antigen become the fastest by having a direct connection to the Microsoft Security Response Team?
Regarding vulnerabilities reported by “security researchers” who responsibly withhold the details of how actually exploit the vulnerability.
Kudos for following responsible disclosure but their motive and timing bear some examination. When software companies whose major product is a vulnerability scanner are the ones finding the vulnerabilities, you have to wonder if it’s a matter of the tail wagging the dog. I think in the short term it causes more work for us but in the long term it’s probably healthy for the industry because it keeps the pressure on software vendors like Microsoft and others to refine their patch process and ultimate improve the quality of their code in the first place. But researchers can take it too far if they fall victim to 2 obvious temptations:
1) By timing initial announcements security researchers can maximize the amount of attention they receive by increasing the Fear, Uncertainty and Doubt created. What service to the public does it serve to announce you’ve found a vulnerability and reported it to the vendor? One might counter by saying it increase pressure on the vendor to get the patch out as soon as possible. That’s good as long as it doesn’t cause the vendor to cut some corners.
2) After giving the vendor time to develop and release a patch, security researchers must determine how long to wait before disclosing the actual details of how to exploit the vulnerability. This month we saw a company announce they would disclose exploit details for a vulnerability just 14 days after the vendor released the patch. (See my blog “You’ve got 2 weeks to patch Outlook Web Access”). When a researcher does this, they are essentially dictating your patch schedule and deciding for you how much time you can test the patch before deploying it.
The next Security Log Secrets course is August 7 and 8 in beautiful San Francisco. Register now to secure early registration discount.
Can’t come to Security Log Secrets? Buy the DVD at http://www.ultimatewindowssecurity.com/sls-r.html
As always I welcome your thoughts and tips.
Yours truly,
Randy Franklin Smith
CISA, SSCP, Security MVP
