Following the News that the zero-day flaw, which was recently discovered to affect all supported versions of Microsoft Word, was known to Microsoft while attacks were taking place. Darren Meyer, Senior Security Researcher, application security, Veracode commented below.
Darren Meyer, Senior Security Researcher, Application Security at Veracode:
“Veracode has long been a proponent of responsible disclosure of discovered flaws, and this is a pretty good example of that thought process in play.
“Disclosing a vulnerability publicly before there is a patch carries some risk – you’re giving away potentially dangerous information that people could use to cause harm. Not disclosing also has some risk – if you found it, criminals could have found it and not told anyone, and if a vendor is unwilling to acknowledge or fix the issue in a timely way, public disclosure can put needed pressure on them to do so.
“I generally advocate responsible disclosure–that is, disclosing to the vendor and giving them ample time to acknowledge and repair the issue before considering a public disclosure.
“Microsoft had an unenviable position: they had to weigh “putting on a band-aid” by patching one specific problem – and in so doing drawing attackers’ attention to a weakness – against spending more time to solve the underlying issue but leaving customers vulnerable for a little longer. This kind of work is difficult and error-prone.
“An organisation should do what Microsoft did, in general: weigh the risks to their customers of various options. It’s wise to use an accepted risk-assessment model to do that; Microsoft probably used DREAD, for example. All such models try to answer “how bad is this/could this be?” and “how likely/easy is this to exploit?”
“For example, if Microsoft had known that the issue was actively being exploited, they may have reached a different decision about how to proceed, because that changes the risk to their customers.”