News

Shifting Threats Challenge Microsoft’s Response to Exploits

Is Microsoft prepared to handle the coming wave of security threats? On Dec. 27, a potentially dangerous zero-day exploit struck Windows-based PCs and servers. Leveraging an unreported vulnerability in the Windows graphics handling engine, the attack uses specifically tailored Windows Meta File (WMF) graphics to inject executable code into PCs. Most concerning, the exploit requires no user interaction. If you view an infected image with Internet Explorer, your system can be compromised.

The WMF zero-day exploit represents an important shift in the nature of malware threats, where IT managers have little or no warning about an exploit attacking a system vulnerability. More troubling, the WMF zero-day exploit may have revealed some significant issues in the way Microsoft itself deals with time-critical threats.

On Jan. 3, a full week after the WMF exploit was discovered, Microsoft released a statement that read: "Microsoft has completed development of a security update to fix the vulnerability and that update is now being finalized through testing to ensure quality and application compatibility. Microsoft's goal is to release the update on Tuesday, Jan. 10, 2006, as part of its monthly release of security bulletins on the second Tuesday of the month, although quality is the gating factor."

Michael Cherry, lead analyst for Windows and Mobile at Directions on Microsoft, says the Microsoft Security Response Center team dropped the ball by opting to wait for Patch Tuesday. "They have to be willing to modify their procedure based on the risk of the exploits," he says.

"Security monitoring and training outfit The SANS Institute estimates that the exploit has been used to install bot software on about 1 million PCs."

And that risk was very high. Security firms tracking the threat found that the WMF exploit was being used to install several different adware and spyware packages onto PCs. Security monitoring and training outfit The SANS Institute estimates that the exploit has been used to install bot software on about 1 million PCs.

To its credit, Microsoft issued an "out-of-band" update on Jan. 5 that plugged the hole, rendering the threat inert in patched systems. But Cherry says the change of heart may have been driven by more than security concerns.

"They were concerned about the uptake of the third-party patch," Cherry says, referring to an independently crafted fix for the vulnerability. "Anecdotally, it looked to me that people were seriously considering implementing the third-party patch. I was surprised by that personally."

Johannes Ullrich wasn't. The chief technical officer at The SANS Institute says the unofficial patch was downloaded about 275,000 times from his organization's Web site. Ullrich says the heavy interest shows that Microsoft badly miscalculated the threat posed by the WMF exploit.

"They basically just didn't get the exploit or the severity of it," he says. "Talking to them was frustrating because they didn't have anyone around who had used the exploit and played with it."

Microsoft, for its part, is working to write more secure code. The company's Security Development Lifecycle (SDL) process helps developers analyze, detect and harden areas of code being targeted by attackers. The result, says a Microsoft spokesperson, is measurably improved security.

"Microsoft has used the SDL on many products, including Windows Server 2003, SQL Server 2000 SP3, and Microsoft Exchange Server SP3. Windows Server 2003 was the first operating released at Microsoft that implemented large portions of the SDL, and compared to Windows 2000, it had 63 percent fewer vulnerabilities in the first year."

The spokesperson also notes that security bulletins for SQL Server 2000 dropped sharply after the release of the SDL-tuned SP3.

In a blog posting at the Microsoft TechNet site, Mike Nash, the corporate vice president responsible for security at Microsoft, says his team sought to balance the need for a fully qualified patch against the risk of exposure and the inconvenience of installing an out-of-band release. Nash credits customer requests for an immediate fix.

About the Author

Michael Desmond is an editor and writer for 1105 Media's Enterprise Computing Group.

Featured

  • Microsoft Nabs IoT Platform Provider Express Logic

    As part of its plan to invest $5 billion in IoT technologies, Microsoft this week acquired Express Logic, which provides real-time operating systems for industrial embedded and IoT devices.

  • Dealing with Broken Dependencies in SCVMM

    Brien shows you how to resolve some broken, template-related dependencies in Microsoft's System Center Virtual Machine Manager.

  • AzCopy Preview Adds AWS S3 Data Transfer Improvements

    Microsoft announced this week that it has improved the preview version of its AzCopy tool to better handle Amazon Web Services (AWS) S3 data.

  • Microsoft Adding Google G Suite Migration in Exchange Admin Center

    Microsoft's Exchange Admin Center will be getting the ability to move Google G Suite calendar, contacts and e-mail data over to the Office 365 service "in the coming weeks."

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.