Microsoft rushes out a patch for the LNK vulnerability: but what else does it tell us?
I’m sorry to harp on about this, but, well frankly there are things I just don’t understand. I’m talking about Microsoft, vulnerabilities, Patch Tuesday and responsible disclosure. Microsoft usually delivers all of its security patches at the same time each month: Patch Tuesday, the second Tuesday of the month. There is, therefore, approximately a 30-day gap between each security update. This 30 days sits nicely with the standard definition of responsible disclosure that I have always understood: if you find a vulnerability, report it quietly to the vendor and give that vendor 30 days to fix it before you go public.
Ah, but what if you discover a Windows vulnerability immediately after Patch Tuesday? If you give Microsoft the 30 days, it might just miss the next Patch Tuesday and still be another 30 days until the following one. Surely what you do here then, to be responsible, is to give Microsoft 60 days, not 30 days, before you go public?
But what do you do if you have reason to believe that the vulnerability you have discovered is already being, or about to be, exploited? Such knowledge would not be unusual. Security researchers can sit very close to the fence. Some were hackers; most still know hackers; pretty well all will liaise with hackers.
So, believing a vulnerability is about to be exploited, and offering a 60 day period of grace before going public, what does the responsible security researcher do if he can get no committment for a patch within 60 days? It seems to me perfectly responsible, for the security of the user, to force the vendor’s hand by going public immediately.
We are, of course, talking about Tavis Ormandy and his ‘infamous’ exposure of a vulnerability just five days after revealing it to Microsoft, but supposedly because Microsoft would not commit to fixing it within 60 days. For this he was castigated as ‘irresponsible’. See The case of Tavis Ormandy; and when does a blogger become a journalist? and GoogleWars! Is the Phoney War now over? for more information on this issue.
Why am I bringing this up again? Because today Microsoft is issuing a patch for the altogether different LNK vulnerability. This LNK vulnerability (see Some of the issues around the LNK zero-day vulnerability for some of the issues around…) was not disclosed to them before being used; it was discovered in use as an attack on SCADA systems. But Microsoft is not waiting for Patch Tuesday (8 more days). So how can MS rush out a patch for this vulnerability in 20 days but not commit to fixing Ormandy’s vulnerability in 60 days?
It’s not as if relative complexity is an issue. As Lumension’s Paul Henry blogs about this LNK patch:
Some security experts question how effective an out-of-band patch will be. Microsoft has never implemented a security process around LNK files. This is not a matter of adjusting the security process in their use, it is a matter of attempting to insert a fix in to a problem that does not have any security process current in place – not a simple task.
So what is left? Frankly, I’m pretty certain they’re playing politics with our security; and I’m pretty certain I don’t like it.