Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/8/2017
02:30 PM
Morey Haber
Morey Haber
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

In a Cybersecurity Vendor War, the End User Loses

When vulnerability information is disclosed without a patch available, users are the ones really being punished.

Rarely do you see corporations clash over vulnerability disclosures. It's almost an unwritten rule that a business wouldn't participate in improper vulnerability disclosures, but Google has decided to go head-to-head with Microsoft in the release of information after 90 days of initial notification, even though Microsoft has acknowledged the flaw and scheduled an update.

Although this type of activity is common for researchers, it looks like Google has decided to pick a fight with Redmond and wants vulnerabilities patched faster. In addition, Google went on the offensive, disclosing it successfully and reliably cracked SHA1 and discovered a major coding flaw dubbed Cloudbleed in Cloudflare hosting services. The latter is responsible for the leakage of sensitive data across websites that are hosted by Cloudflare services.

These activities are rather unusual for a company that's not primarily focused on security and only emphasize the disclosure of unpatched vulnerabilities in Windows. Early last month, Google disclosed an unpatched vulnerability in the Windows Graphic Device Interface (GDI), and later in February another (CVE-2017-0037) in Microsoft Edge and Internet Explorer that could lead to arbitrary code execution — both of which are 90 days past due since disclosure. Although most say it's appropriate to wait 90 days after submitting a vulnerability, it's unusual for companies to release information when the period ends and acknowledge a patch is coming.

What makes this disclosure so interesting, and potentially a battle between the two giant software organizations, is the disclosure of proof-of-concept code related to the latest browser vulnerabilities in Edge and IE that could allow hackers to refine the exploit and escalate privileges on targeted systems. That target base includes Windows 7, 8.1, and 10 for both 32- and 64-bit systems. As a zero-day, unpatched vulnerability, it's just a matter of time before this weakness becomes weaponized.

Microsoft delayed February's Patch Tuesday fix until March, making the mainstream distribution of patches unavailable to the masses. In fact, this adds to the Microsoft SMB flaws that are already in the wild (disclosed February 3) with exploit code, making it a bad first quarter at Redmond for zero-day vulnerabilities.

Browser War or Something Else?
It has been awhile since Microsoft has received so much negative press around security flaws at the hands of a competing corporation. Why Google has taken such a provocative stance is unclear, but the recommendation from other security professionals to mitigate the risks are very clear: replace Internet Explorer and Edge with another vendor's products to mitigate the risk. Is Google's approach an aggressive campaign to continue the browser wars? It may be very possible or just a strict interpretation of the industry 90-day standard for notification, disclosure, and patch remediation.

In the end, the end user is the one that suffers. Zero days are out in the wild, proof-of-concept exploits are available to hackers, and organizations are left finding suitable mitigations for the threats until patches are released, tested, and deployed. Businesses can only identify and document the risks using vulnerability assessment solutions and minimize the threats with application control and other proven security technologies.

Compliance regimes such as PCI should take note as well. There is no remediation path, and now vulnerabilities are over 90 days old from initial notification to the manufacturer. The clock is ticking for regulatory incompliance. We can only hope Patch Tuesday in March (scheduled for March 14) addresses all of these problems and doesn't give hackers more time to refine their exploits.

It will be interesting to watch if Google decides to release more vulnerability information against other vendors and whether other organizations follow suit with research after 90 days of have passed. It could be just the start of a new cyber security battle. The results could be faster patches or a gold mine for attackers for public exploits.

Related Content:

With more than 20 years of IT industry experience, Morey Haber serves as the vice president of technology for BeyondTrust. He joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition and currently oversees solutions for bothvVulnerability and privileged ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
3/23/2017 | 1:27:15 AM
Technologynews
Thanks for sharing the cybersecurity related news.it is very help ful for every one because latest updates are known through this site
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
3/23/2017 | 1:26:56 AM
Technologynews
Thanks for sharing the cybersecurity related news.it is very help ful for every one because latest updates are known through this site
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
3/23/2017 | 1:25:10 AM
Technologynews
Thanks for sharing the cybersecurity related news.it is very help ful for the latest updates
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.