Details Trickle Out
But thats not always the case. Last month, researchers at Core Security Technologies and Immunity each released advisories about a remotely exploitable flaw in the WINS (Windows Internet Naming Service) system in many versions of Windows. WINS is an internal system for naming machines on a network, somewhat akin to the Internets DNS (Domain Name System). Researchers have known about a vulnerability in the service since May, when some rough details about the problem were published. Click here to read more about the WINS flaw.Neither bulletin appeared in any of the popular online summaries of security activity during the Thanksgiving weekend, leading some in the security community to accuse Microsoft of pressuring watchdog groups such as The SANS Institute and US-CERT to keep the issue quiet. Microsoft officials said "in no way whatsoever could that possibly be true." Although the flaw was disclosed in May, Microsoft just published technical guidance on the problem last week and has not yet produced a patch, a fact that has some researchers questioning the Redmond, Wash., companys commitment to security. "How long have they really known about this? It was disclosed in May. Did Microsoft find it and pretend no one knew about it?" asked Dave Aitel, CEO of Immunity, based in New York. "Its been exploited since May. Any large organization will be running [WINS]. Our exploit is a perfectly reliable remote root." Microsoft officials said that the original May report of the WINS vulnerability was "very fragmented and not very detailed" and that another researcher brought the company a detailed report a few weeks later. Microsoft has been working on a fix for the flaw since then, but there is no specific timeline for its release. Officials added that researchers releasing vulnerability reports before fixes are ready makes the patching process harder. "Our drive is to make sure the update doesnt introduce new vulnerabilities. We have to focus on quality because we cant just give you an update that breaks your infrastructure, because then you wont trust updates from us again," said Stephen Toulouse, security program manager at the Microsoft Security Response Center. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
Many security organizations did their own auditing of WINS and found the flaw themselves after the first notice came out and then built exploits for it. But it was not until Thanksgiving, when Core released its advisory, that the problem became widely known. Immunity followed up the next day with its advisory, which was detailed and included instructions on how to exploit the vulnerability.