Better late than never is Microsoft’s new mantra. The software company patched a security flaw affecting Windows and Office on Nov. 11 that has been sitting in plain sight for 19 years.
The flaw, which could allow a hacker to remotely control a computer, was discovered by IBM X-Force researchers in May. Security analysts have begun comparing the new vulnerability to the OpenSSL bug called Heartbleed that was disclosed in April.
Microsoft released 14 patches to address the bug after months of planning with the IBM researchers who discovered it. Another two patches are expected to come, and while machines that are updated will no longer be vulnerable to this flaw, hackers are sure to begin searching for unpatched systems now that the vulnerability is public.
IBM’s Robert Freeman wrote in a blog post that had the vulnerability sold on the “gray market,” it would have “fetched six figures.” Freeman outlined a technical description of the vulnerability, and wrote that while they haven’t seen the flaw exploited “in the wild,” it’s only a matter of time.
It’s too early to know what the impact of this will be, said Stephen Hultquist, chief evangelist at Redseal Networks. “It’s similar to Heartbleed in that here’s a bug that sat there for a long time, undiscovered,” Hultquist said. “And what that should help everyone to have a little pause about is there will be more of these. There are more situations in the complexity of software than what we’ve seen, and things will be bubbling up.”
The exposure of this bug is a good thing in many ways, he said. “There’s more focus on it, there’s more discovery of it, and in this case, the patch was released before there was any in the wild validation or any clear exploitation of the bug,” he said. “My immediate assessment is that it won’t be as large an issue as Heartbleed, simply because of where the exploitation lives in the data movement chain, in other words, what an attacker would have to access, especially on the server side, in order to exploit this bug.”
The newly-found flaw was graded as 9.3 out of 10 on the Common Vulnerability Scoring System (CVSS), a scheme for rating the potential for exploitation of a given bug. Heartbleed scored a 5.0, and Hultquist estimated the CVSS discrepancy has to do with the vast number of machines throughout the world that might now be vulnerable, as opposed to the ease with which the bug can be exploited.
“Heartbleed’s issues were primarily around servers, and if Heartbleed was exploited by somebody, the data to which they would have immediate access is that which had been encrypted in its movement around a server farm,” he said. “That’s usually highly volatile kinds of data like personal information. So while it may have been a little less likely to be exploited because it was on servers and so on, the information you would have access to if you exploited it is much more valuable information.”
This flaw, he said, has more barriers for entry.
Governments looking to avoid having their systems compromised have a few things to consider, the first one, besides patching their systems, Hultquist said, is to not use Internet Explorer. “Because of the kind of exploit this is, we’re back to standard end-user security kinds of things, which we’ve demonstrated don’t work all that well,” he said. “Don’t open attachments [if] you don’t know what they are – it’s things like that, which continue to be the primary avenue through which malware enters environments.”
The article Freeman wrote is full of information that can help administrators tailor their organization’s reaction to the bug and manage security going forward, Hultquist said.
“You can kind of look at the article and say, ‘Does this impact us, do I need to look for patches from my third party providers, do we need to patch our own code?’ and sort of stay on top of these things," he said. "The other piece from my perspective as a network guy is network exploitability. How do you prioritize the efforts you’re going to have to take to do the patching work that needs to happen now? How do you prioritize? Most enterprises cannot patch everything all at once.”
Colin wrote for Government Technology from 2010 through most of 2016.
NEW ON THE PODCAST