A report of a security flaw in Microsoft Office 2010 has been greeted with criticism by Microsoft because researchers chose not to notify the company of their findings.
Researchers at Vupen Security said they discovered a memory corruption flaw that could be used by an attacker to execute code. The company June 22 said it “created a code execution exploit which works with Office 2010 and bypasses DEP (Data Execution Prevention) and Office File Validation features.”
The bug, Vupen CEO Chaouki Bekrar told eWEEK, is caused by a heap corruption error when processing malformed data within an Excel document.
“Exploiting this vulnerability is not trivial since many security features are enabled by default in Office 2010 including DEP … Office File Validation and Protected View,” Bekrar explained in an e-mail. “However, we have been able to reliably achieve code execution via a specially crafted Excel document.”
While technical details of the bug have not been disclosed by Vupen, the company said, “our [government] customers who are members of the Vupen Threat Protection Program have access to the full binary analysis of the vulnerability” as well as detection guidance. What the company has not done, however, is give the vulnerability details to Microsoft.
“Microsoft is aware of a claimed vulnerability but does not have the details to validate the claim,” Jerry Bryant, group manager of response communications at Microsoft, said in a statement. “To minimize risk to computer users, Microsoft continues to encourage responsible disclosure. Reporting vulnerabilities directly to vendors helps ensure that customers receive comprehensive, high-quality updates before cyber-criminals learn of-and work to exploit-a vulnerability.”
Bekrar contended that his company actively supports responsible disclosure, and since January has discovered and responsibly reported 130 critical vulnerabilities, including more than 50 unpatched flaws affecting Microsoft products such as Office Word, Excel and Internet Explorer.
“Vupen did not and will not publicly disclose any technical details regarding these vulnerabilities,” he wrote. “We used [them] to alert the affected vendors and governments or law enforcement agencies who are members of the Vupen Threat Protection Program to allow them protect national infrastructures from potential attacks.
“We did not provide the details of the Office 2010 vulnerability to Microsoft as discovering and researching that vulnerability was a very long process (many weeks) and an important investment for Vupen, so … to just get our names in the credit section of a Microsoft advisory as a compensation for our work is not enough.”
In the past several weeks, there have been some prominent incidents showing that the concepts underlying responsible disclosure may not be clear-cut. The AT&T data leak involving the e-mail addresses of iPad 3G customers and a Windows bug uncovered by a Google engineer brought the issue to a head as well.
While there are many ways to protect customers from attacks, the creators of a product are in the best position to understand the general risk to the broader customer base and create updates to the product or service that protect everyone, Bryant said.
“Vulnerability-sharing programs that do not include the software vendor are risky programs and do not promote overall customer safety,” he said.