[Infowarrior] - Microsoft, Aurora: Forest & Trees

Richard Forno rforno at infowarrior.org
Sun Jan 24 14:53:07 UTC 2010 

Microsoft, Aurora and something about forest and trees?
Posted by jericho 3 hours ago

Perhaps it is the fine tequila this evening, but I really don't get  
how our industry can latch on to the recent 'Aurora' incident and try  
to take Microsoft to task about it. The amount of news on this has  
been  overwhelming, and I will try to very roughly summarize:

News surfaces Google, Adobe and 30+ companies hit by "0-day" attack

Google uses this for political overtones

Originally thought to be Adobe 0-day, revealed it was MSIE 0-day

Jan 14, confirmed it is MSIE vuln, shortly after dubbed "aurora"

Jan 21, uproar over MS knowing about the vuln since Sept

Now, here is where we get to the whole forest, trees and some analogy  
about eye sight. Oh, i'll warn (and surprise) you in advance, I am  
giving Microsoft the benefit of the doubt here (well, for half the  
blog post) and throwing this back at journalists and the security  
community instead. Let's look at this from a different angle.

The big issue that is newsworthy is that Microsoft knew of this  
vulnerability in September, and didn't issue a patch until late  
January. What is not clear, is if Microsoft knew it was being  
exploited. The wording of the Wired article doesn't make it clear:  
"aware months ago of a critical security vulnerability well before  
hackers exploited it to breach Google, Adobe and other large U.S.  
companies" and "Microsoft confirmed it learned of the so-called 'zero- 
day' flaw months ago". Errr nice wording. Microsoft was aware of the  
vulnerability (technically), before hackers exploited it, but doesn't  
specifically say if they KNEW hackers were exploiting it. Microsoft  
learned of the "0-day" months ago? No, bad bad bad. This is taking an  
over-abused term and making it even worse. If a vulnerability is found  
and reported to the vendor before it is exploited, is it still 0-day  
(tree, forest, no one there to hear it falling)?

Short of Microsoft admitting they knew it was being exploited, we can  
only speculate. So, for fun, let's give them a pass on that one and  
assume it was like any other privately disclosed bug. They were  
working it like any other issue, fixing, patching, regression testing,  
etc. Good Microsoft!

Bad Microsoft! But, before you jump on the bandwagon, bad journalists!  
Bad security community!

Why do you care they sat on this one vulnerability for six months? Why  
is that such a big deal? Am I the only one who missed the articles  
pointing out that they actually sat on five code execution bugs for  
longer? Where was the out pour of blogs or news articles mentioning  
that "aurora" was one of six vulnerabilities reported to them during  
or before September, all in MSIE, all that allowed remote code   
execution (tree, forest, not seeing one for the other)?

< - more -  and some pretty tables too ->

http://blog.osvdb.org/2010/01/24/microsoft-aurora-and-something-about-forest-and-trees#

More information about the Infowarrior mailing list