Schneier on Security
A blog covering security and security technology.
« Paris Bank Hack at Center of National Scandal |
| Top Terrorist Targets from the DHS »
July 17, 2006
Zero-Day Microsoft PowerPoint Vulnerability
Symantec is reporting a zero-day PowerPoint exploit. Right now the threat assessment is low, but that could change overnight if someone writes an automatic worm that takes advantage of this vulnerability.
Note that the vulnerability appeared in the wild days after "Patch Tuesday," presumably to maximize the window of exposure before Microsoft issues a patch.
Posted on July 17, 2006 at 1:38 PM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Does anyone know how many engineers MS has working on response to reported vulnerabilities? A comparison of this number to the number working to develop Vista, or new applications, or new versions of old applications, might help cut through the marketing blather and give some idea of the real extent to which they are dedicated to securing their software. How many boots are actually on the ground?
Their response to vulnerability reports often seems awfully slow.
> the vulnerability appeared in the wild
> days after "Patch Tuesday,"?
the vulnerability? or the exploit?
Releasing 0day immediately after patch Tuesday doesn't maximize the exposure window. To maximize, you'd release some time before patch Tuesday, but close enough that Microsoft would not be able to find the vulnerability, patch it, and test the patch in the time remaining. Microsoft is reluctant to rush things into the patch because of the risk of breaking applications or compatibility; everything has to be thoroughly tested before release.
Carlo, I don't know the number, but Microsoft employs *a lot* of security folks. Nobody spends more on security research than Microsoft; I've heard it claimed that all other companies put together don't spend as much.
According to Secunia the exploit was discovered in the wild and led to the vulnerability discovery.
Assessment will be low because circulation is low - not because of the risk of the exploit itself. This is why Bruce says it could get nasty if a means to self replicate is found.
Can anybody explain what's this business of "zero-day" and "wild days"? Thanks
"Microsoft employs *a lot* of security folks. Nobody spends more on security research than Microsoft; I've heard it claimed that all other companies put together don't spend as much."
Who knows what is meant by "research". A few years ago I was invited to a presentation by Microsoft security that said they only had a handful of people dedicated to the role, but they were finally starting to make some inroads with product managers and get acceptance as part of the development process. I do not think you can compare this type of sell-then-fix software development organization to something like, let's just say, OpenBSD.
Oh, speaking of presentations, you should really see the PPT that explains this new zero-day vulnerability. ;)
"what's this business of 'zero-day'"
It's meant to represent the amount of time you have before you "must" patch your systems to avoid someone exploiting a vulnerability.
The timing often used to be discussed in orders of weeks, or even months and quarters, in order to ensure the stability and security of systems but a "zero-day" notice turns that idea completely upside-down. In theory it means the risk of damage from not patching is so high, there's no question or time to debate whether the patch itself could be harmful...
Oh, and something in the "wild" means it has been found on a system outside a controlled environment and in day-to-day operations/use -- the threat is real. Very similar to finding a dangerous animal in the wild, versus caged in a zoo...or a biological virus spreading in the wild versus sitting in a dish in a research lab.
It might be coincidence, but I remember this phrase becoming very popular around the time that the monkey virus was first reported (91 or 92?).
These folks keep track of the curent list:
@Gabriel and @Davi
"0-Day" exploit does not represent criticity, but the fact that there is no patch and (usually) that the publisher of the software did not know about the vulnerability before the exploit was in the wild.
@Gabriel, @David and @Albert,
Zero day doesn't refer to whether there is a patch or not, and neither does it relate to criticality. A zero day exploit is an exploit for a vulnerability that is produced the same day the vulnerability is generally announced - zero full days have passed and there is already an exploit!
This does mean that there is almost certainly no chance of building, testing and deploying a patch for the vulnerability.
Of course, some malware exploits vulnerabilities that haven't been announced at all - these aren't zero exploits - more like negative day exploits, to coin a phrase.
Bruce -- Why not do a post, or series of posts, on some of the jargon used in the Security Biz? You could turn it into a glossary on your resources page. The disagreement on what a "zero-day exploit" is indicates a need for such a thing, even for the folks who read this blog.
Define "symetric block cipher" and give two examples.
I read the book "The Security Developement Lifecycle", Microsoft (M. Howard and S. Lipner).
Like KB, I think Microsoft spends a lot on security. And if anything in the book is true - I beleive most of it - then they are putting the money where few persons do : rigth from the requirements phase up to the security response.
ps: The book gives a lot of insight about what Microsoft does security wise before and after a product ships, but you might want to turn your marketing filter on.
I fail to see how this could be turned into a worm, as I believe it requires action on the part of the user to open the infected PowerPoint. However, judging by the behaviour of the users in the past, I suppose you could argue that their action is a given, and so they really are just part of the machine. Just set the "NUDE XXX Britney Spears" flag in the file name, and it will be opened with the highest priority!
The worst case scenario for this would be a second vulnerability affecting web systems. A worm that was able to infect websites and installed the exploit code into website homepages could be catastrophic.
"Of course, some malware exploits vulnerabilities that haven't been announced at all - these aren't zero exploits - more like negative day exploits, to coin a phrase."
How about "Sub-Zero Day Exploits" it has a nice unpronouncable TLA and would strike a cold hand off fear into the Managment types ;)
@Davi, I too visited Microsoft Research within the last year and I specifically asked how many people they had dedicated to security research. I was told about a dozen.
If anyone doesn't believe me, here they are: http://research.microsoft.com/security/
"Nobody throws more money on windows for security research than Microsoft"
"Nobody throws more money out of the window for security marketing than Microsoft"
: scnr :)
Microsoft Research represents only a small part of the people working on security at Microsoft and even your list is small. For example, move your URL up one level to http://research.microsoft.com/research/...
In any case, we agree that it isn't enough.
The more immediately applicable work comes from Mike Howard's group (referenced by Guillaume above). He is not on the Research side but is the Director of Corporate Security and has leadership of some of the good security stuff going on at Microsoft. We all find things to poke at with Microsot, but I think you'd find that Mike's stuff is positive.
> How about "Sub-Zero Day Exploits" it has a nice unpronouncable TLA [...]
SZDE? The german letter 'ß' (latin small letter sharp s. 0337, 223, 0xDF in the ISO 8859-1 and ISO 10646 character sets) is sometimes named "sz" because it was once a ligature off, you might have guessed it: 's' and 'z'. So it might be called a "ß-Day Exploit" or short "ß-Ex" (pronounced like the english county "Essex") and--Hail to the Mammon!--a new buzzword is born!
But kidding aside:
A 0-day exploit for something not essential for business means to shut off all involved services, in this case PowerPoint immediately, wait for a patch and mail a nice PPT-animation around that explains the situation with some calming pictures of hushing motives in soothing colors.
But PowerPoint is essential for the managment! You can't kill it! The earth will halt and the heavens fall down!
So, my question: did anybody of you actually try to pull the plug and offered one of the, admittedly quite poor, alternatives, which one and what was the reaction?
An alternative spelling for the new buzzword might be "β-Day Exploit" or short "β-ex" pronounced like the name of the nice german beer "Becks", the one with a key on the bottle.
@Rich, I agree, Mike Howard is one of the best secure development guys out there, I have several of his books and I refer to them frequently. But, he's in the business of enforcing his security policy within the SDLC.
KB said that Microsoft spends more on security research than all other companies put together, and that's simply not the case. They might spend a load on fixing broken code, but they're not doing academic work in areas that benefit the security community (or even their own products for that matter).
Thanks for the clarification but I see your two paragraphs as a contradiction:
"Zero day doesn't refer to whether there is a patch or not, and neither does it relate to criticality. A zero day exploit is an exploit for a vulnerability that is produced the same day the vulnerability is generally announced - zero full days have passed and there is already an exploit!
This does mean that there is almost certainly no chance of building, testing and deploying a patch for the vulnerability."
I read that to mean:
1) 0-day not related to existance of a patch
2) 0-day means almost certainly no chance that a patch exists
No? I mean I'm with you on #2, but #1 doesn't do much for me.
I think the point is that the *definition* of "zero-day" is the time lapse between knowing about a vulnerability and finding an exploit. This definition makes no mention of the existence of a patch, and so the definition of "zero-day exploit" is unrelated to patch existence.
The lack of a patch is obviously a *consequence* of this definition, but does not form part of the definition itself.
yes, it does read quite badly looking back at it. In fact, #1 is what I meant. #2 was just exploring the consequence of #1, but it doesn't form part of the definition of zero day (as wm clarified nicely in his later post)
@KB Re: ``Carlo, I don't know the number, but Microsoft employs *a lot* of security folks. Nobody spends more on security research than Microsoft; I've heard it claimed that all other companies put together don't spend as much.''
They have a lot more work to do; they have a large code base that wasn't designed with multiple users let alone real security in mind, a system that requires anyone who installs an application to be an administrator, tons of third party code of marginal quality, and lots of legacy code to support.
Their response to security has historically been reactive rather than proactive. At the moment, I can't think of a security innovation they have made, except perhaps Authenticode, but they did it wrong (signed code can do just about anything) and besides, I doubt they invented signed code. The only proactive security measures I can think of are perhaps compiling W2K3 with stack smashing protection.
They like to brag about how many bugs they fix during alpha and beta testing and post-release, but they start with a big number because of this historical baggage and poor coding practices (microserfs). They deliberately avoid hiring people except recent grads, because they have preconceived notions and experiences that conflict with "The Microsoft Way" of doing things.
By contrast, OpenBSD brags about how many bugs it doesn't have to fix.
Can any one provide me the Download link of microsoft products and their patches information.I want to get patchID,BulletinID and the download links of all the patches released till date of all MS products in a single file(TXT , XML or any other).
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.