Vulnerabilities / Threats

3/8/2017
02:30 PM
Morey Haber
Morey Haber
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

In a Cybersecurity Vendor War, the End User Loses

When vulnerability information is disclosed without a patch available, users are the ones really being punished.

Rarely do you see corporations clash over vulnerability disclosures. It's almost an unwritten rule that a business wouldn't participate in improper vulnerability disclosures, but Google has decided to go head-to-head with Microsoft in the release of information after 90 days of initial notification, even though Microsoft has acknowledged the flaw and scheduled an update.

Although this type of activity is common for researchers, it looks like Google has decided to pick a fight with Redmond and wants vulnerabilities patched faster. In addition, Google went on the offensive, disclosing it successfully and reliably cracked SHA1 and discovered a major coding flaw dubbed Cloudbleed in Cloudflare hosting services. The latter is responsible for the leakage of sensitive data across websites that are hosted by Cloudflare services.

These activities are rather unusual for a company that's not primarily focused on security and only emphasize the disclosure of unpatched vulnerabilities in Windows. Early last month, Google disclosed an unpatched vulnerability in the Windows Graphic Device Interface (GDI), and later in February another (CVE-2017-0037) in Microsoft Edge and Internet Explorer that could lead to arbitrary code execution — both of which are 90 days past due since disclosure. Although most say it's appropriate to wait 90 days after submitting a vulnerability, it's unusual for companies to release information when the period ends and acknowledge a patch is coming.

What makes this disclosure so interesting, and potentially a battle between the two giant software organizations, is the disclosure of proof-of-concept code related to the latest browser vulnerabilities in Edge and IE that could allow hackers to refine the exploit and escalate privileges on targeted systems. That target base includes Windows 7, 8.1, and 10 for both 32- and 64-bit systems. As a zero-day, unpatched vulnerability, it's just a matter of time before this weakness becomes weaponized.

Microsoft delayed February's Patch Tuesday fix until March, making the mainstream distribution of patches unavailable to the masses. In fact, this adds to the Microsoft SMB flaws that are already in the wild (disclosed February 3) with exploit code, making it a bad first quarter at Redmond for zero-day vulnerabilities.

Browser War or Something Else?
It has been awhile since Microsoft has received so much negative press around security flaws at the hands of a competing corporation. Why Google has taken such a provocative stance is unclear, but the recommendation from other security professionals to mitigate the risks are very clear: replace Internet Explorer and Edge with another vendor's products to mitigate the risk. Is Google's approach an aggressive campaign to continue the browser wars? It may be very possible or just a strict interpretation of the industry 90-day standard for notification, disclosure, and patch remediation.

In the end, the end user is the one that suffers. Zero days are out in the wild, proof-of-concept exploits are available to hackers, and organizations are left finding suitable mitigations for the threats until patches are released, tested, and deployed. Businesses can only identify and document the risks using vulnerability assessment solutions and minimize the threats with application control and other proven security technologies.

Compliance regimes such as PCI should take note as well. There is no remediation path, and now vulnerabilities are over 90 days old from initial notification to the manufacturer. The clock is ticking for regulatory incompliance. We can only hope Patch Tuesday in March (scheduled for March 14) addresses all of these problems and doesn't give hackers more time to refine their exploits.

It will be interesting to watch if Google decides to release more vulnerability information against other vendors and whether other organizations follow suit with research after 90 days of have passed. It could be just the start of a new cyber security battle. The results could be faster patches or a gold mine for attackers for public exploits.

Related Content:

With more than 20 years of IT industry experience, Morey Haber serves as the vice president of technology for BeyondTrust. He joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition and currently oversees solutions for bothvVulnerability and privileged ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
3/23/2017 | 1:27:15 AM
Technologynews
Thanks for sharing the cybersecurity related news.it is very help ful for every one because latest updates are known through this site
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
3/23/2017 | 1:26:56 AM
Technologynews
Thanks for sharing the cybersecurity related news.it is very help ful for every one because latest updates are known through this site
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
3/23/2017 | 1:25:10 AM
Technologynews
Thanks for sharing the cybersecurity related news.it is very help ful for the latest updates
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.