Did Microsoft Drop the Ball on the Word Zero-Day Flaw?Despite In-the-Wild Exploits, Patch Prep Took Over Five Months
In this age of agile development and iterative fixes, is Microsoft patching flaws in its operating system and products - and issuing related warnings and workarounds to users - quickly enough?
On April 11, Microsoft issued a massive batch of software patches for Windows. One fixed a critical, zero-day vulnerability in Word that can allow an attacker to bypass Windows security protections and install malware (see Zero-Day Attack Targets Microsoft Office).
"Google has committed to no longer than a 90-day turnaround to fix vulnerabilities in their software."
The flaw, designated CVE-2017-0199, is serious: It affects all previous versions of Windows including Windows 10 - heralded as being the most well-secured version of the OS to date.
But while a security researcher privately disclosed the flaw to Microsoft in October 2016, Microsoft took more than five months to prep a related patch.
Is that good enough?
The Move Toward Faster Patches
While such a delay may have been common at one time, arguably the benchmark has changed.
Now, waiting to patch for more than five months "does seem excessive," says Jeremiah Grossman, chief of security strategy at endpoint security firm SentinelOne. "As a comparison, Google has committed to no longer than a 90-day turnaround to fix vulnerabilities in their software. Most of their reported issues are fixed far faster than that, too."
Still, Grossman and others acknowledge that developing patches is no easy feat - especially for a software ecosystem the size of Windows. The consequence of issuing a patch that breaks other functionality, or even worse proves to be ineffective, could be devastating - and potentially far worse than the flaw that's being fixed.
At the same time, the longer that a company waits to fix a zero-day vulnerability, the greater the chance that more people with malicious intent will discover the bug and begin capitalizing on it (see Zero-Day Facts of Life Revealed in RAND Study).
Indeed, zero-day flaws in Microsoft Office remain highly prized by cybercriminals and nation-states and can fetch hundreds of thousands of dollars on the black market.
Part of that equation revolves around reliability: tricking someone into opening a malicious Word document remains a highly effective social engineering strategy. Activists and dissident groups, for example, continue to fall prey to such attacks. As that suggests, despite numerous, related warnings, would-be victims still have a tough time refraining from opening emails and attachments that have been carefully crafted to appeal to them.
McAfee Called Microsoft's Bluff
The Word bug was disclosed to Microsoft in October 2016 by Ryan Hanson, a security consultant at Optiv, an IT service management firm.
The period when a flaw is disclosed to a vendor and confirmed by its researchers, and when the company produces a viable, well-tested and safe fix, can be nerve-wracking. It's a race to engineer a workable patch before others also discover the flaw.
Several months after Hanson's report, this appears to be precisely what happened.
In January, cybersecurity FireEye began noticing in-the-wild attacks that targeted the flaw, and it also privately notified Microsoft. Since then, FireEye says it has seen a nation-state group launch attacks that use the exploit to infect PCs with FINSPY, which is a spying tool developed by the Gamma Group. The Anglo-German firm has been criticized for selling hacking tools to governments, some of which have poor human-rights records.
By April, cybersecurity firm McAfee also found attacks targeting the Office flaw. Unlike FireEye, however, McAfee publicly disclosed the bug on its blog, just four days prior to Microsoft's regularly scheduled "Patch Tuesday."
It's not clear if Microsoft told McAfee that it planned to release a related fix on April 11. In an email statement to ISMG, McAfee says its blog post was "a report of an in-the-wild attack on customers' systems detected last week, not a vulnerability disclosure."
As to why the company published the blog post four days prior to Patch Tuesday, McAfee attributed it to a "glitch."
"We had a glitch in our communications with our partner Microsoft that impacted a coordinated response to these attacks, which is being corrected," writes Vincent Weafer, vice president of McAfee Labs. "We have nothing more to say at this time."
Following McAfee's public alert, large-scale attack campaigns began targeting the Word bug, according to cybersecurity firm ProofPoint. In particular, millions of spam messages - mostly aimed at Australians - began carrying malicious Word documents designed to exploit the zero-day flaw and install Dridex, which is powerful banking malware.
Jerome Segura, a senior security researcher with cybersecurity firm Malwarebytes, says the Word flaw would have received a lot less attention if it wasn't for the wave of Dridex spam that followed - and was apparently sparked by - McAfee's post.
"It's also another reason why many went up in arms at a blog post published by a security company before Patch Tuesday, robbing another company of the actual initial public disclosure," Segura says via email.
John Bambenek, threat intelligence manager with Fidelis Cybersecurity, says McAfee's post likely told the gang that had developed the exploit that their window to make money from it was rapidly closing, thus triggering a hurried-up sale of the flaw to the Dridex group.
"There's an ecosystem on the backend market for zero days," Bambenek tells me in a phone interview. "You realize your multimillion-dollar asset of the zero day you're selling to the CIA or GRU or Mossad is about to become worthless."
The Quiet Option
The irony is that at least some attacks using the exploit would have been relatively easy to avoid, with the right advice, which was to enable the "Protected View" feature in Office, although Hanson has warned that it could potentially be defeated by attackers.
At least in come cases, however, the feature would warn users when a document wants to load external content, as attacks that target the Word flaw will do. Such a warning would at least give users the option of proceeding, and knowing they could be putting themselves at risk - especially with a zero-day flaw floating around.
Why Microsoft didn't impart that advice when it learned of the vulnerability last year isn't clear. Instead, it chose the quiet option, despite the potential risk to users.
I reached out to Microsoft, which declined to comment about its related decision-making process, or whether it plans to try and prep all future fixes within the 90-day window currently espoused by technology firms such as Google.
Instead, a spokeswoman shared this statement about the flaw: "This was addressed in the April security update released on April 11, 2017. Customers who applied the update, or have automatic updates enabled, are already protected. In addition, Windows Defender, Windows Defender Advanced Threat Protection, and Office 365 Advanced Threat Protection all have detections in place to help block this type of attack method."
The Microsoft spokeswoman added that Microsoft knew attackers were actively targeting the flaw. "Prior to public disclosure last Friday, our engineers were aware of a small number of attempts to use this vulnerability through targeted spam designed to convince users to open a malicious attachment."
This tweet is my acknowledgement a MS Word 0day I discovered in July, and disclosed in October, has been publicly disclosed by someone else.— Ryan Hanson (@ryHanson) April 9, 2017
Hanson - who first reported the bug privately to Microsoft - said via Twitter that Microsoft told him the flaw involved a deeply rooted design issue, which might help explain why it took more than five months to prep a related fix.
"When I disclosed it, it was not being used in the wild, so I'm sure they chose to do a deeper fix to kill more bugs at once," he writes. "But as we've seen, there is a risk associated with making that choice as well. It's definitely a hard balance to get right."
Executive Editor Mathew Schwartz also contributed to this story.