Microsoft Zero-Day Flaw

By   ISBuzz Team
Writer , Information Security Buzz | Apr 28, 2017 01:54 pm PST

Following the News that the zero-day flaw, which was recently discovered to affect all supported versions of Microsoft Word, was known to Microsoft while attacks were taking place. Darren Meyer, Senior Security Researcher, application security, ‎Veracode commented below.

Darren Meyer, Senior Security Researcher, Application Security at ‎Veracode

isbuzz-author-male_1“Veracode has long been a proponent of responsible disclosure of discovered flaws, and this is a pretty good example of that thought process in play.

“Disclosing a vulnerability publicly before there is a patch carries some risk – you’re giving away potentially dangerous information that people could use to cause harm. Not disclosing also has some risk – if you found it, criminals could have found it and not told anyone, and if a vendor is unwilling to acknowledge or fix the issue in a timely way, public disclosure can put needed pressure on them to do so.

“I generally advocate responsible disclosure–that is, disclosing to the vendor and giving them ample time to acknowledge and repair the issue before considering a public disclosure.

“Microsoft had an unenviable position: they had to weigh “putting on a band-aid” by patching one specific problem – and in so doing drawing attackers’ attention to a weakness – against spending more time to solve the underlying issue but leaving customers vulnerable for a little longer. This kind of work is difficult and error-prone.

“An organisation should do what Microsoft did, in general: weigh the risks to their customers of various options. It’s wise to use an accepted risk-assessment model to do that; Microsoft probably used DREAD, for example. All such models try to answer “how bad is this/could this be?” and “how likely/easy is this to exploit?”

“For example, if Microsoft had known that the issue was actively being exploited, they may have reached a different decision about how to proceed, because that changes the risk to their customers.”

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x