Free QA and Light-bulb Disclosure
At the beginning of this year, a ‘critical bug in Excel’ was presented for sale (http://seclists.org/lists/fulldisclosure/2006/Jan/0413.html). The lucky buyer would get not only the full advisory, but also a fully working PoC allowing arbitrary code execution.
This March’s ‘Patch Tuesday’, was relatively small, with only two patches, one of them critical. The critical patch was in none other than Microsoft’s Office suite (http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx) .
Giving the advisory a little attention, we notice something interesting, take a look at the ‘credits’ section:
- Ollie Whitehouse of Symantec for reporting the Microsoft Office Remote Code Execution Using a Malformed Routing Slip Vulnerability – CVE-2006-0009
- FelicioX for working with Microsoft on the Microsoft Office Excel Remote Code Execution Using a Malformed Range Vulnerability – CVE-2005-4131
- Peter Winter-Smith of NGS Software for reporting similar behavior to the Remote Code Execution with Microsoft Office Excel Vulnerability – CVE-2005-4131
- TippingPoint and the Zero Day Initiative for reporting the Microsoft Office Excel Remote Code Execution Using a Malformed File Format Parsing Vulnerability – CVE-2006-0028
- Dejun of the Fortinet Security Response Team for reporting the Microsoft Office Excel Remote Code Execution Using a Malformed Description Vulnerability – CVE-2006-0029
- Eyas of the XFOCUS Security Team for reporting the Microsoft Office Excel Remote Code Execution Using a Malformed Record Vulnerability – CVE-2006-0031
Quite an impressive list of well respected security researches, wouldn’t you say?
It appears that all Microsoft needs for proper QA is:
“One kiddie to piss them off, One kiddie to find them,
One kiddie to bring them all and in the darkness bind them.”
On the one hand we dismiss a kiddie wanting to make a quick buck on Microsoft’s lacking QA. On the other hand, 5 security researchers giving Microsoft the usual “I’ll find your vulnerabilities you’ll hide my name in tiny print in the end of your advisory” back-rub. So who’s more ethical?
Why should vendors invest in QA and security when you’ve got ‘responsible disclosure’?
Another issue to note, is Microsoft’s tendency to release a non-cumulative cumulative patch. Given there are at least 6 different security issues in one advisory, I would call it quite cumulative…
The Microsoft Office suite does not update with your usual Windows Update, and users are ‘urged’ to use Office Update. In this day and age, where every desktop has a personal firewall, I would say that Office is a higher security risk than most core Windows components.
Considering that in new Windows versions one cannot evade the horror of automatic updates, I would say Office deserves more than an urge too. Wouldn’t you agree?
At the end of the day, the question arises: So how many security researchers does it take to replace a broken light-bulb?