Researchers clam up about Microsoft's rush patches
According to Dullien and Elser, Microsoft's kill-bit solution wasn't sufficient, since a programming error in a code "library" called Active Template Library (ATL) had resulted in vulnerabilities in other crucial Windows files, and perhaps third-party applications whose developers had also used ATL. They counted at least five such files in Windows XP and at least 13 in Vista.
"The bug is actually much 'deeper' than most people realize, [and] the kill-bit fix is clearly insufficient, as there are bound to be many other ways of triggering the issue," Dullien said in his July 9 post.
It's possible that the two lines of research are related. As Robert McMillan of the IDG News Service reported Monday, the bug that let Smith, Dowd and Dewey skirt the kill-bit fix may lie in ATL, which Dullien and Elser have been investigating.
"This is a little bit different than normal responsible disclosure," said nCircle's Storms when asked his take on the researchers' silence. "There has been some information made public." Storms compared it to last year's disclosure by Dan Kaminsky, also prior to Black Hat, of a critical flaw in the Domain Name System (DNS) software used to direct traffic on the Internet. "That was kept secret, but several people guessed it before there was a patch ready, so there were friendly reminders [to those researchers] to stop discussing it publicly," said Storms.
Microsoft will issue the out-of-band updates today for IE and Visual Studio via its usual Windows Update and Windows Server Update Services (WSUS) mechanisms at around 1 p.m. ET.
Later today, at both 4 p.m. and 7 p.m. ET, Microsoft will host a webcast to take customer questions. Typically, Microsoft hosts such webcasts the day after it delivers patches.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts