Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/8/2017
02:30 PM
Morey Haber
Morey Haber
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

In a Cybersecurity Vendor War, the End User Loses

When vulnerability information is disclosed without a patch available, users are the ones really being punished.

Rarely do you see corporations clash over vulnerability disclosures. It's almost an unwritten rule that a business wouldn't participate in improper vulnerability disclosures, but Google has decided to go head-to-head with Microsoft in the release of information after 90 days of initial notification, even though Microsoft has acknowledged the flaw and scheduled an update.

Although this type of activity is common for researchers, it looks like Google has decided to pick a fight with Redmond and wants vulnerabilities patched faster. In addition, Google went on the offensive, disclosing it successfully and reliably cracked SHA1 and discovered a major coding flaw dubbed Cloudbleed in Cloudflare hosting services. The latter is responsible for the leakage of sensitive data across websites that are hosted by Cloudflare services.

These activities are rather unusual for a company that's not primarily focused on security and only emphasize the disclosure of unpatched vulnerabilities in Windows. Early last month, Google disclosed an unpatched vulnerability in the Windows Graphic Device Interface (GDI), and later in February another (CVE-2017-0037) in Microsoft Edge and Internet Explorer that could lead to arbitrary code execution — both of which are 90 days past due since disclosure. Although most say it's appropriate to wait 90 days after submitting a vulnerability, it's unusual for companies to release information when the period ends and acknowledge a patch is coming.

What makes this disclosure so interesting, and potentially a battle between the two giant software organizations, is the disclosure of proof-of-concept code related to the latest browser vulnerabilities in Edge and IE that could allow hackers to refine the exploit and escalate privileges on targeted systems. That target base includes Windows 7, 8.1, and 10 for both 32- and 64-bit systems. As a zero-day, unpatched vulnerability, it's just a matter of time before this weakness becomes weaponized.

Microsoft delayed February's Patch Tuesday fix until March, making the mainstream distribution of patches unavailable to the masses. In fact, this adds to the Microsoft SMB flaws that are already in the wild (disclosed February 3) with exploit code, making it a bad first quarter at Redmond for zero-day vulnerabilities.

Browser War or Something Else?
It has been awhile since Microsoft has received so much negative press around security flaws at the hands of a competing corporation. Why Google has taken such a provocative stance is unclear, but the recommendation from other security professionals to mitigate the risks are very clear: replace Internet Explorer and Edge with another vendor's products to mitigate the risk. Is Google's approach an aggressive campaign to continue the browser wars? It may be very possible or just a strict interpretation of the industry 90-day standard for notification, disclosure, and patch remediation.

In the end, the end user is the one that suffers. Zero days are out in the wild, proof-of-concept exploits are available to hackers, and organizations are left finding suitable mitigations for the threats until patches are released, tested, and deployed. Businesses can only identify and document the risks using vulnerability assessment solutions and minimize the threats with application control and other proven security technologies.

Compliance regimes such as PCI should take note as well. There is no remediation path, and now vulnerabilities are over 90 days old from initial notification to the manufacturer. The clock is ticking for regulatory incompliance. We can only hope Patch Tuesday in March (scheduled for March 14) addresses all of these problems and doesn't give hackers more time to refine their exploits.

It will be interesting to watch if Google decides to release more vulnerability information against other vendors and whether other organizations follow suit with research after 90 days of have passed. It could be just the start of a new cyber security battle. The results could be faster patches or a gold mine for attackers for public exploits.

Related Content:

With more than 20 years of IT industry experience and author of Privileged Attack Vectors and Asset Attack Vectors, Morey Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees the vision for BeyondTrust technology ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
3/23/2017 | 1:27:15 AM
Technologynews
Thanks for sharing the cybersecurity related news.it is very help ful for every one because latest updates are known through this site
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
3/23/2017 | 1:26:56 AM
Technologynews
Thanks for sharing the cybersecurity related news.it is very help ful for every one because latest updates are known through this site
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
3/23/2017 | 1:25:10 AM
Technologynews
Thanks for sharing the cybersecurity related news.it is very help ful for the latest updates
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11518
PUBLISHED: 2020-04-04
Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution.
CVE-2020-5347
PUBLISHED: 2020-04-04
Dell EMC Isilon OneFS versions 8.2.2 and earlier contain a denial of service vulnerability. SmartConnect had an error condition that may be triggered to loop, using CPU and potentially preventing other SmartConnect DNS responses.
CVE-2020-5348
PUBLISHED: 2020-04-04
Dell Latitude 7202 Rugged Tablet BIOS versions prior to A28 contain a UAF vulnerability in EFI_BOOT_SERVICES in system management mode. A local unauthenticated attacker may exploit this vulnerability by overwriting the EFI_BOOT_SERVICES structure to execute arbitrary code in system management mode.
CVE-2020-8142
PUBLISHED: 2020-04-03
A security restriction bypass vulnerability has been discovered in Revive Adserver version < 5.0.5 by HackerOne user hoangn144. Revive Adserver, like many other applications, requires the logged in user to type the current password in order to change the e-mail address or the password. It was how...
CVE-2020-8143
PUBLISHED: 2020-04-03
An Open Redirect vulnerability was discovered in Revive Adserver version < 5.0.5 and reported by HackerOne user hoangn144. A remote attacker could trick logged-in users to open a specifically crafted link and have them redirected to any destination.The CSRF protection of the “/...