Zero-day bugs give severe headaches to a software vendor. In August, Apple’s iOS was bugged by the issue and now it is none other than Microsoft that has faced severe frowning looksfrom its customers over the zero-day vulnerability(found in Windows kernel) made public by Google. Though Microsoft has released a patch for the bug, it took them quite the time to do so.
What actually happened?
The flaw was found while it was being exploited in a small spearphising campaign led by STRONTIUM, a threat group. Upon coming across the flaw, Google decided to go public with the bug details which earned it a heavy criticism from Microsoft. Google defended its decision by stating that the threat was already being exploited by malevolent users.
Microsoft security updates for November include fixes for 4 disclosed zero-hour vulnerabilities. The Windows kernel flaw was unveiled by Threat Analysis Group of Google in October. According to the analysts, the flaw enables a security sandbox escape. The blacklisted flaw is dubbed CVE-2016-7255 and is found in the Windows kernel. The security issue allows unauthorized privilege escalation, but only on vulnerable systems.
Released as the Microsoft Security Bulletin MS16-135, the patch is labeled ‘important’ by Microsoft. In addition to the issue, the same release addresses 4 other bugs found in the Windows kernel across various Windows OSs, including the latest Windows 10.
Batch of Microsoft Security Bulletins
Along with the release of Microsoft Security Bulletin MS16-135, the company released 13 other security bulletins to address issues in the entire range of Microsoft products. While 8 of the bulletins, including the Microsoft Security Bulletin MS16-135, were labelled ‘important’, other 6 were labeled ‘critical.’
A zero-day, also known as 0-day or zero-hour, vulnerability is the biggest dipin a software that can be exploited by hackers and attackers to accomplish a number of unauthorized chores like controlling the system behavior or stealing confidential data.
The other 3 zero-day flaws that were disclosed some time ago – CVE-2016-7227, CVE-2016-7199 and CVE-2016-7209 were fixed via MS-16-129 and MS-16-142 security bulletins. Both these bulletins were labelled as ‘critical.’ These serious zero-day issues were found in Microsoft’s Internet Explorer and Edge.
All enterprises using Windows products are advised to deploy the CVE-2016-7255 ASAP. Also, other important fix released by Microsoft is for a remote code execution vulnerability in the MS16-132 bulletin.
The other partner in Crime
In conjunction to the Windows kernel-based flaw, hackers exploited an Adobe Flash flaw too. Adobe released patch for the flaw. It is released as security updates for Adobe Connect and Flash Player. Adobe Connect users suffered from an input validation error that can be exploited by hackers to trigger cross-site scripting attacks.
Flash Player November update bring fixes for 9 critical vulnerabilities discovered in Adobe’s flagship software product. One of these issues can facilitate taking complete control of a system.
Headache for Software Developers
Because of the lack of a standardised form of vulnerability disclosure in the industry, many software vendors put up with “responsible disclosure.” According to this zero-day vulnerability dealing procedure, the one who finds a vulnerability in the software reports the issue, privately, to the vendor. The details of the security issue is only made public once it has been patched.
Typically, the one who discovers the flaw can work over the issue to fix it with the original vendor. There is nothing fixed about the time given to fix the problem. It can vary from weeks to months. Google gives a time period of 60 days to fix a zero-day vulnerability issue before it goes public with it.
But, if the vulnerability is actively being exploited then some, like Google, believe to go public. Google gave a week to both Microsoft and Adobe after finding vulnerabilities in their respective software.
The point is that because there is no universally accepted form of vulnerability disclosure policy, it is totally up to the finder and the vendor to deal with the issue. Ultimately, it is the devs that have to bear all the pressure.
As zero-day vulnerabilities are difficult to find, so is to fix them. These type of bugs are no less than nightmare for the devs.