twitter facebook rss

Out of band ’emergency’ patch issued by Microsoft

Posted by on June 19, 2014.

Microsoft issued a patch this Tuesday. This is not Patch Tuesday week — so by definition, this was an emergency patch.

But if you read the advisory, it doesn’t sound that urgent. The vulnerability could lead to a denial of service attack. In the collective consciousness, DoS is considered an inconvenience (of varying severity) rather than a catastrophe (like direct data theft). Furthermore, Microsoft classifies the vulnerability as important rather than critical, and adds that it knows of no active attacks and believes that the release of exploit code is unlikely.

Microsoft says,

Exploitation of this vulnerability may cause the operating system or an application to become permanently unresponsive until it is restarted manually. It may also cause an application to close or quit unexpectedly without automatically recovering.

With no exploitation likely for something that would just make the system stop, you have to wonder why this was released as an emergency patch.

Well, there are two reasons. Firstly, it is not that an application might “become permanently unresponsive”, but which applications are stopped: any and all applications that use the Microsoft Malware Protection Engine. That is, the entire built-in Microsoft anti-malware defence could be taken down; and at that point an attacker could introduce more or less whatever he wished.

Still, with no likelihood of exploitation, one might still wonder why this was patched out-of-band — something that Microsoft empirically does not like doing.

Enter reason two: it was discovered and reported by Tavis Ormandy. Tavis Ormandy is a bit of a loose cannon in bug finding. Technically a Google engineer, he nevertheless tends to operate at least semi-autonomously. He most famously (or infamously) found a bug in Windows XP and Server 2003 in 2010 and gave Microsoft just 5 days to fix it. When they failed to do so, he publicly disclosed the vulnerability which went on to be exploited before it was fixed.

Since then Google has changed its official disclosure policy, now saying it will give vendors 7 days to fix a fault before disclosure. Remember that Ormandy is a Google engineer. So it is likely that the sub-text to this patch is that it was found and reported by Tavis Ormandy now considering himself bound by Google’s 7 day period of grace.

Microsoft for its part knows from experience that Ormandy does not make idle threats — so this fault had to be fixed fast and out of band. However, it could also be fixed quietly. Since there is a built-in mechanism to update the anti-malware software (necessary to defeat the latest malware) it was relatively simple to automatically update it without any fuss.

A very serious flaw could be downplayed and fixed quietly — and that is exactly what has happened.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News, News_vulnerabilities | Tags: , , ,