A report of a security flaw in Microsoft Office 2010 has been greeted with
criticism by Microsoft because researchers chose not to notify the company of
their findings.
Researchers at Vupen Security
said they discovered a memory corruption flaw that could be used by an
attacker to execute code. The company June 22 said it "created a code
execution exploit which works with Office 2010 and bypasses DEP (Data Execution
Prevention) and Office File Validation features."
The bug, Vupen CEO Chaouki Bekrar told
eWEEK, is caused by a heap corruption error when processing malformed data
within an Excel document.
"Exploiting this vulnerability is not trivial since
many security features are enabled by default in Office 2010
including DEP ... Office File Validation and Protected View," Bekrar
explained in an e-mail. "However, we have been able to reliably achieve
code execution via a specially crafted Excel document."
While technical details of the bug have not been disclosed by Vupen, the
company said, "our [government] customers who are members of the Vupen
Threat Protection Program have access to the full binary analysis of the
vulnerability" as well as detection guidance. What the company has not
done, however, is give the vulnerability details to Microsoft.
"Microsoft is aware of a claimed vulnerability but does not have the
details to validate the claim," Jerry Bryant, group manager of response
communications at Microsoft, said in a statement. "To minimize risk
to computer users, Microsoft continues to encourage responsible disclosure.
Reporting vulnerabilities directly to vendors helps ensure that customers receive
comprehensive, high-quality updates before cyber-criminals learn of—and work to
exploit—a vulnerability."
Bekrar contended that his company actively supports responsible disclosure,
and since January has discovered and responsibly reported 130 critical vulnerabilities,
including more than 50 unpatched flaws
affecting Microsoft products such as Office Word, Excel and Internet
Explorer.
"Vupen did not and will not publicly disclose any technical details
regarding these vulnerabilities," he wrote. "We used [them]
to alert the affected vendors and governments or law enforcement agencies
who are members of the Vupen Threat Protection Program to allow them protect
national infrastructures from potential attacks.
"We did not provide the details of the Office 2010 vulnerability to
Microsoft as discovering and researching that vulnerability was a
very long process (many weeks) and an important investment for Vupen, so ...
to just get our names in the credit section of a Microsoft advisory as a
compensation for our work is not enough."
In the past several weeks, there have been some prominent incidents showing that
the concepts underlying responsible disclosure may not be clear-cut. The AT&T
data leak involving the e-mail addresses of iPad 3G customers and a Windows bug uncovered by a Google
engineer brought the issue to a head as well.
While there are many ways to protect customers from attacks, the creators of
a product are in the best position to understand the general risk to the
broader customer base and create updates to the product or service that protect
everyone, Bryant said.
"Vulnerability-sharing programs that do not include the software vendor
are risky programs and do not promote overall customer safety," he said.
IT Security & Network Security News & Reviews News & Reviews 
