News

Shifting Threats Challenge Microsoft’s Response to Exploits

• By Michael Desmond
• 02/01/2006

The WMF zero-day exploit represents an important shift in the nature of malware threats, where IT managers have little or no warning about an exploit attacking a system vulnerability. More troubling, the WMF zero-day exploit may have revealed some significant issues in the way Microsoft itself deals with time-critical threats.

On Jan. 3, a full week after the WMF exploit was discovered, Microsoft released a statement that read: "Microsoft has completed development of a security update to fix the vulnerability and that update is now being finalized through testing to ensure quality and application compatibility. Microsoft's goal is to release the update on Tuesday, Jan. 10, 2006, as part of its monthly release of security bulletins on the second Tuesday of the month, although quality is the gating factor."

Michael Cherry, lead analyst for Windows and Mobile at Directions on Microsoft, says the Microsoft Security Response Center team dropped the ball by opting to wait for Patch Tuesday. "They have to be willing to modify their procedure based on the risk of the exploits," he says.

And that risk was very high. Security firms tracking the threat found that the WMF exploit was being used to install several different adware and spyware packages onto PCs. Security monitoring and training outfit The SANS Institute estimates that the exploit has been used to install bot software on about 1 million PCs.

To its credit, Microsoft issued an "out-of-band" update on Jan. 5 that plugged the hole, rendering the threat inert in patched systems. But Cherry says the change of heart may have been driven by more than security concerns.

"They were concerned about the uptake of the third-party patch," Cherry says, referring to an independently crafted fix for the vulnerability. "Anecdotally, it looked to me that people were seriously considering implementing the third-party patch. I was surprised by that personally."

Johannes Ullrich wasn't. The chief technical officer at The SANS Institute says the unofficial patch was downloaded about 275,000 times from his organization's Web site. Ullrich says the heavy interest shows that Microsoft badly miscalculated the threat posed by the WMF exploit.

"They basically just didn't get the exploit or the severity of it," he says. "Talking to them was frustrating because they didn't have anyone around who had used the exploit and played with it."

Microsoft, for its part, is working to write more secure code. The company's Security Development Lifecycle (SDL) process helps developers analyze, detect and harden areas of code being targeted by attackers. The result, says a Microsoft spokesperson, is measurably improved security.

"Microsoft has used the SDL on many products, including Windows Server 2003, SQL Server 2000 SP3, and Microsoft Exchange Server SP3. Windows Server 2003 was the first operating released at Microsoft that implemented large portions of the SDL, and compared to Windows 2000, it had 63 percent fewer vulnerabilities in the first year."

The spokesperson also notes that security bulletins for SQL Server 2000 dropped sharply after the release of the SDL-tuned SP3.

In a blog posting at the Microsoft TechNet site, Mike Nash, the corporate vice president responsible for security at Microsoft, says his team sought to balance the need for a fully qualified patch against the risk of exposure and the inconvenience of installing an out-of-band release. Nash credits customer requests for an immediate fix.