Tuesday, June 12, 2012
Why did it take Microsoft three months to fix the VUPEN flaw?
Microsoft is out with its June Patch Tuesday update, which features seven security bulletins and fixes at least 26 security vulnerabilities. Microsoft is also releasing a separate fix that will revoke untrusted security certificates from Windows Vista and Windows 7 PCs.
Among the critical bulletins in the Patch Tuesday update this month is the MS12-07 cumulative security update for Internet Explorer. That update fixes 13 vulnerabilities, including one first reported to Microsoft in March by security research firm VUPEN, at the Pwn2Own hacking challenge.
Why did it take Microsoft three months to fix the VUPEN flaw? Jason Miller, Manager of Research and Development at VMware, told eSecurity Planetthat he believes Microsoft spent extra time on ensuring the fix worked without breaking any functionality in Internet Explorer. Microsoft also had the luxury of time on the VUPEN flaw, owing to the confidential nature of the disclosure.
"The vulnerability was privately disclosed, so this gave Microsoft more time to work on the fix for it," Miller said. "If the vulnerability had been disclosed to the public, I am sure Microsoft would have accelerated the release cycle for the vulnerability."
Miller also noted Microsoft would more than likely have gone out-of-band to release the fix, if the vulnerability had somehow become public and Microsoft had received reports of attacks.
"Overall, I like to see Microsoft take the extra time to get the fix right the first time," Miller said. "In the past year, we have seen a security bulletin released that did not fully fix the vulnerability and caused a re-release of the bulletin. This is a headache for people trying to manage patches on their network."
In addition to the big IE fix, there is a critical vulnerability fix for Microsoft's Remote Desktop Protocol (RDP).
"A remote code execution vulnerability exists in the way that the Remote Desktop Protocol accesses an object in memory that has been improperly initialized or has been deleted," Microsoft warned in its security bulletin. "An attacker who successfully exploited this vulnerability could run arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
The final critical update deals with a vulnerability in the .NET framework that could also potentially lead to remote code execution.
"A remote code execution vulnerability exists in the Microsoft .NET Framework due to the improper execution of a function pointer," Microsoft warned in its MS12-038 bulletin. "An attacker who successfully exploited this vulnerability could take complete control of an affected system."
Miller noted that of particular note with the MS12-038 bulletin is that it also affects the Windows 8 Preview release.
"People who are using the Windows 8 Preview will need to pay particular attention to Security Bulletins going forward," Miller said. "In the case of MS12-038, the original release of the Windows 8 Preview is affected by this bulletin and needs to be patched."
Flame Malware Fallout
Even with the seven security bulletins in the June Patch Tuesday update, there is still an additional security issue that Windows users need to remediate.
The recent discovery of the Flame malware was accompanied by disclosure from Microsoft that bad certificates signed by Microsoft might have enabled the outbreak. To help mitigate the risks of other potentially bad certificates, Microsoft is now issuing an updater for Windows Vista and Windows 7 to remove untrusted certificates.
Going a step further, Microsoft announced today that in August there will be an additional update that will invalidate certificates that have RSA keys of less than 1024 bits.
"Once this key length update is released, we will treat all of these certificates as invalid, even if they are currently valid and signed by a trusted certificate authority," Angela Gunn of Microsoft's Trustworthy Computing group wrote in a blog post.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com, the news service of the IT Business Edge Network. Follow him on Twitter: @TechJournalist.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment