AOH :: ISNQ5866.HTM

Microsoft, Aurora and something about forest and trees?




Microsoft, Aurora and something about forest and trees?
Microsoft, Aurora and something about forest and trees?



http://blog.osvdb.org/2010/01/24/microsoft-aurora-and-something-about-forest-and-trees 

By jericho
1.24.2010
OSVDB Blog

Perhaps it is the fine tequila this evening, but I really don't get how 
our industry can latch on to the recent 'Aurora' incident and try to 
take Microsoft to task about it. The amount of news on this has been 
overwhelming, and I will try to very roughly summarize:

News surfaces Google, Adobe and 30+ companies hit by "0-day" attack

Google uses this for political overtones

Originally thought to be Adobe 0-day, revealed it was MSIE 0-day

Jan 14, confirmed it is MSIE vuln, shortly after dubbed "aurora"

Jan 21, uproar over MS knowing about the vuln since Sept

Now, here is where we get to the whole forest, trees and some analogy 
about eyesight. Oh, I'll warn (and surprise) you in advance, I am giving 
Microsoft the benefit of the doubt here (well, for half the blog post) 
and throwing this back at journalists and the security community 
instead. Let's look at this from a different angle.

The big issue that is newsworthy is that Microsoft knew of this 
vulnerability in September, and didn't issue a patch until late January. 
What is not clear, is if Microsoft knew it was being exploited. The 
wording of the Wired article doesn't make it clear: "aware months ago of 
a critical security vulnerability well before hackers exploited it to 
breach Google, Adobe and other large U.S. companies" and "Microsoft 
confirmed it learned of the so-called 'zero-day' flaw months ago". Errr, 
nice wording. Microsoft was aware of the vulnerability (technically), 
before hackers exploited it, but doesn't specifically say if they KNEW 
hackers were exploiting it. Microsoft learned of the "0-day" months ago? 
No, bad bad bad. This is taking an over-abused term and making it even 
worse. If a vulnerability is found and reported to the vendor before it 
is exploited, is it still 0-day (tree, forest, no one there to hear it 
falling)?

Short of Microsoft admitting they knew it was being exploited, we can 
only speculate. So, for fun, let's give them a pass on that one and 
assume it was like any other privately disclosed bug. They were working 
it like any other issue, fixing, patching, regression testing, etc. Good 
Microsoft!

Bad Microsoft! But, before you jump on the bandwagon, bad journalists! 
Bad security community!

[...]


________________________________________ 
Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 
http://www.infosecnews.org 

Site design & layout copyright © 1986-2014 CodeGods