Vulnerabilities / Threats

3/8/2017
02:30 PM
Morey Haber
Morey Haber
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

In a Cybersecurity Vendor War, the End User Loses

When vulnerability information is disclosed without a patch available, users are the ones really being punished.

Rarely do you see corporations clash over vulnerability disclosures. It's almost an unwritten rule that a business wouldn't participate in improper vulnerability disclosures, but Google has decided to go head-to-head with Microsoft in the release of information after 90 days of initial notification, even though Microsoft has acknowledged the flaw and scheduled an update.

Although this type of activity is common for researchers, it looks like Google has decided to pick a fight with Redmond and wants vulnerabilities patched faster. In addition, Google went on the offensive, disclosing it successfully and reliably cracked SHA1 and discovered a major coding flaw dubbed Cloudbleed in Cloudflare hosting services. The latter is responsible for the leakage of sensitive data across websites that are hosted by Cloudflare services.

These activities are rather unusual for a company that's not primarily focused on security and only emphasize the disclosure of unpatched vulnerabilities in Windows. Early last month, Google disclosed an unpatched vulnerability in the Windows Graphic Device Interface (GDI), and later in February another (CVE-2017-0037) in Microsoft Edge and Internet Explorer that could lead to arbitrary code execution — both of which are 90 days past due since disclosure. Although most say it's appropriate to wait 90 days after submitting a vulnerability, it's unusual for companies to release information when the period ends and acknowledge a patch is coming.

What makes this disclosure so interesting, and potentially a battle between the two giant software organizations, is the disclosure of proof-of-concept code related to the latest browser vulnerabilities in Edge and IE that could allow hackers to refine the exploit and escalate privileges on targeted systems. That target base includes Windows 7, 8.1, and 10 for both 32- and 64-bit systems. As a zero-day, unpatched vulnerability, it's just a matter of time before this weakness becomes weaponized.

Microsoft delayed February's Patch Tuesday fix until March, making the mainstream distribution of patches unavailable to the masses. In fact, this adds to the Microsoft SMB flaws that are already in the wild (disclosed February 3) with exploit code, making it a bad first quarter at Redmond for zero-day vulnerabilities.

Browser War or Something Else?
It has been awhile since Microsoft has received so much negative press around security flaws at the hands of a competing corporation. Why Google has taken such a provocative stance is unclear, but the recommendation from other security professionals to mitigate the risks are very clear: replace Internet Explorer and Edge with another vendor's products to mitigate the risk. Is Google's approach an aggressive campaign to continue the browser wars? It may be very possible or just a strict interpretation of the industry 90-day standard for notification, disclosure, and patch remediation.

In the end, the end user is the one that suffers. Zero days are out in the wild, proof-of-concept exploits are available to hackers, and organizations are left finding suitable mitigations for the threats until patches are released, tested, and deployed. Businesses can only identify and document the risks using vulnerability assessment solutions and minimize the threats with application control and other proven security technologies.

Compliance regimes such as PCI should take note as well. There is no remediation path, and now vulnerabilities are over 90 days old from initial notification to the manufacturer. The clock is ticking for regulatory incompliance. We can only hope Patch Tuesday in March (scheduled for March 14) addresses all of these problems and doesn't give hackers more time to refine their exploits.

It will be interesting to watch if Google decides to release more vulnerability information against other vendors and whether other organizations follow suit with research after 90 days of have passed. It could be just the start of a new cyber security battle. The results could be faster patches or a gold mine for attackers for public exploits.

Related Content:

With more than 20 years of IT industry experience, Morey Haber serves as the vice president of technology for BeyondTrust. He joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition and currently oversees solutions for bothvVulnerability and privileged ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
3/23/2017 | 1:27:15 AM
Technologynews
Thanks for sharing the cybersecurity related news.it is very help ful for every one because latest updates are known through this site
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
3/23/2017 | 1:26:56 AM
Technologynews
Thanks for sharing the cybersecurity related news.it is very help ful for every one because latest updates are known through this site
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
3/23/2017 | 1:25:10 AM
Technologynews
Thanks for sharing the cybersecurity related news.it is very help ful for the latest updates
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.