Microsoft vulnerabilities: full disclosure and no disclosure
Following on from full disclosure, Microsoft now has a new disclosure variant to contend with – no disclosure. French security services provider VUPEN claims to have discovered two critical security vulnerabilities in the recently released Office 2010 – but has passed information on the vulnerabilities and advice on mitigation to its own customers only. For now, the company does not intend to fill Microsoft in on the details, as they consider the quid pro quo – a mention in the credits in the security bulletin – inadequate.
VUPEN, formerly known as FrSIRT, customers include various government agencies and other vendors and according to comments made by VUPEN CEO Chaouki Bekrar to The H's associates at heise Security, operates on a "private responsible disclosure policy" basis. The company does not release any information publicly until a patch is available.
Whether a patch will be available for the Office vulnerabilities depends on Microsoft and whether they are willing to pay for the information. VUPEN states that in recent years it has voluntarily assisted many vendors in fixing vulnerabilities, gratis. This year alone it claims to have reported 130 vulnerabilities in Microsoft products to Microsoft. VUPEN is of the opinion that this is no longer viable. "Why should security services providers give away for free information aimed at making paid-for software more secure?" asked Bekrar.
In the case of Office 2010, the company states that it has invested substantial time and effort in uncovering security vulnerabilities. The vulnerabilities in question are reported to be in Word and Excel and allow code injection. The company says that, although Office 2010 is more secure than previous versions, it's still possible to circumvent data execution prevention (DEP) and Office's protected view and file validation features, using techniques previously successfully used to write reliable exploits for Office 2007.
VUPEN is not alone – US security services provider Immunity Sec also practices no disclosure and provides its customers with information on zero day exploits without informing Microsoft. By contrast, Tipping Point's Zero Day Initiative (ZDI) buys information on vulnerabilities, works the information into signatures for its intrusion detection system and then forwards the information to the vendor in question free of charge.
Microsoft also has fights on its hands on other fronts. A group of unknown developers has responded to Microsoft's criticism of a recent publication by Tavis Ormandy by founding the Microsoft-Spurned Researcher Collective (MSRC, cf. Microsoft Security Response Center). The group plans to publish vulnerabilities in a full disclosure stylee and is already practising what it preaches with details of a privilege escalation vulnerability in Windows. The vulnerability is currently known to affect Windows Vista and Windows Server 2008.
According to reports by security services provider Secunia, there is also a buffer overflow in the UpdateFrameTitleForDocument function in the mfc42.dll (VC++6) Windows run time component. At present the bug is only known to be able to be triggered in one application, PowerZip 7.2 build 4010 under Windows 2000 and XP. No further details or attack scenarios have been disclosed. According to a post on Twitter, Microsoft is investigating the problem.