Researchers clam up about Microsoft's rush patches
Yesterday, security experts involved with two separate lines of research declined to comment further about the findings they had already published, saying or hinting that they were doing so at Microsoft's request.
The practice is certainly unusual, said a researcher who was not involved in the investigations. "It's not uncommon for vendors to ask researchers to withhold information," said Andrew Storms, director of security operations at nCircle Network Security. "But it's more like a gentlemen's agreement, where the vendor says, 'Here's the date we'll patch and after that you can disclose whatever you want.'"
At the Black Hat security conference on Wednesday, Ryan Smith, Mark Dowd and David Dewey are scheduled to show how to bypass the "kill-bit" mechanism that Microsoft frequently deploys to shut down buggy ActiveX controls. The company used the technique July 14 to disable a video-streaming ActiveX control used by Internet Explorer (IE) because it wasn't able to fully patch the underlying problem in time.
Smith is a vulnerability researcher at VeriSign iDefense, while Dowd and Dewey both work for IBM Internet Security System's X-Force.
Although Smith has already posted a video that demonstrates that he, Dowd and Dewey were able exploit a kill-bit copy of IE, Smith said yesterday he couldn't answer questions about their research or confirm that it had prompted Microsoft to rush out its "out-of-cycle" patches.
"There's currently a trifecta-style embargo on my sharing information," Smith said in an e-mail. "Right now, all I'm allowed to say is that we've been working with Microsoft, and the update to be released tomorrow is going to address some of the issues to be [covered] in our speech on Wednesday at 3:15 p.m. PT."
Smith said the embargo would be lifted once Microsoft issues the emergency patches.
German security researcher Dennis Elser also declined yesterday to answer questions about the research he and Thomas Dullien, the CEO and head of research at Zynamics GmbH, have published claiming that the vulnerabilities to be patched today exist in several critical components of Windows and an unknown number of third-party applications.
Dullien, under his researcher moniker of "Halvar Flake," first posted details of their work on July 9, a week before Microsoft delivered the kill-bit update to cripple the flawed ActiveX control.
According to Elser, Dullien was asked by Microsoft to refrain from commenting on what the two had found, and he was taking the same tack. However, he was willing to speculate about what Microsoft's request meant. "The fact they asked Halvar [Flake] to not comment any further, plus his two latest blog posts are evidence enough, at least for me, to assume that they're going to patch the vulnerability within ATL (the msvidctl.dll issue) [today]," said Elser in an e-mail yesterday.
According to Dullien and Elser, Microsoft's kill-bit solution wasn't sufficient, since a programming error in a code "library" called Active Template Library (ATL) had resulted in vulnerabilities in other crucial Windows files, and perhaps third-party applications whose developers had also used ATL. They counted at least five such files in Windows XP and at least 13 in Vista.
"The bug is actually much 'deeper' than most people realize, [and] the kill-bit fix is clearly insufficient, as there are bound to be many other ways of triggering the issue," Dullien said in his July 9 post.
It's possible that the two lines of research are related. As Robert McMillan of the IDG News Service critical flaw in the Domain Name System (DNS) software used to direct traffic on the Internet. "That was kept secret, but several people guessed it before there was a patch ready, so there were friendly reminders [to those researchers] to stop discussing it publicly," Storms said.
Microsoft will issue the out-of-band updates today for IE and Visual Studio via its usual Windows Update and Windows Server Update Services (WSUS) mechanisms around 1 p.m. ET.
Later today, at both 4 p.m. and 7 p.m. ET, Microsoft will host a webcast to take customer questions. Typically, Microsoft hosts such webcasts the day after it delivers patches.