When An 0-day Isn't An 0-day
Wednesday 23rd August, 2006 09:33 Comments: 0
There's been a bit of fuss over an alleged 0-day in Microsoft PowerPoint, but it turns out that this is not 0-day vulnerability, it is related to patched MS06-012. That patch came out in March, 5 months ago. Isn't it amazing what a fuss "researchers" can make over a vulnerability that was patched so long ago. How did none of them notice it'd been patched?
Talking of researchers, Microsoft aren't very happy with eEye for disclosing problems with the (now postponed) hotfix that was due out yesterday. You can try and read between the lines in the MSRC blog:
Unfortunately, one of the security researchers who reported this to us disagreed with our decision to hold communications and has publicly pointed out the exploitability of the specific crash and the affected platform. Up until now, we have not seen any attacks using this vulnerability, nor have we seen broad awareness of this vulnerability. Since the exploitability of this is public now however, there is certainly increased risk of attack.
Or read the less subtle post on the IEBlog:
You may have read reports of a new, irresponsibly disclosed vulnerability that affects IE 6.0 SP1. We are aware of this issue and are actively working on an update that addresses the problem, which was introduced with our last security update (MS06-042).
It sounds like the issue is because Microsoft changed some buffer sizes in XP SP2; the code was first fixed in XP SP2 and then ported down to XP SP1 without taking this change into consideration. With XP SP1 support ending in less than 60 days, it's probably easier/safer/better to upgrade to SP2. Plus SP2 is great.
Talking of researchers, Microsoft aren't very happy with eEye for disclosing problems with the (now postponed) hotfix that was due out yesterday. You can try and read between the lines in the MSRC blog:
Unfortunately, one of the security researchers who reported this to us disagreed with our decision to hold communications and has publicly pointed out the exploitability of the specific crash and the affected platform. Up until now, we have not seen any attacks using this vulnerability, nor have we seen broad awareness of this vulnerability. Since the exploitability of this is public now however, there is certainly increased risk of attack.
Or read the less subtle post on the IEBlog:
You may have read reports of a new, irresponsibly disclosed vulnerability that affects IE 6.0 SP1. We are aware of this issue and are actively working on an update that addresses the problem, which was introduced with our last security update (MS06-042).
It sounds like the issue is because Microsoft changed some buffer sizes in XP SP2; the code was first fixed in XP SP2 and then ported down to XP SP1 without taking this change into consideration. With XP SP1 support ending in less than 60 days, it's probably easier/safer/better to upgrade to SP2. Plus SP2 is great.