UPDATED Microsoft updates OneCare ahead of rivals

 

Gallery

Posted on 15 Feb 2007 at 15:52

Microsoft has warned of a flaw in its Word software, and has already patched its OneCare security software before details of the vulnerability have been given to rival companies in the security industry.

The MSA 933052 vulnerability affects Office 2000 and XP and has the potential for a remote attacker to run arbitrary code on the target computer.

There are already reports of what Microsoft describes as 'very limited, targeted attacks attempting to exploit this'.

It says that it 'has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability,' and that it 'intends to actively share information with Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks.'

In short: for the time being Microsoft OneCare customers are protected. Customers using software from rivals such as Symantec, McAfee, F-Secure, Kaspersky and others may not be.

Microsoft told us that: 'Live OneCare had been updated earlier. The current attacks that seek to exploit the vulnerability in Microsoft Security Advisory 933052 also aim to exploit other, older vulnerabilities for which security updates are already available, and Microsoft previously added detection for malware that attempted to exploit those issues.

'As part of the regular security response process, this information will be made available as soon as possible to partners through the Microsoft Security Response Alliance (MSRA), which is a comprehensive organization that allows industry partners and governments to share information and best practices to help protect customers from malicious threats.'

Eyebrows were raised about the possible anticompetitiveness of Microsoft entering the consumer security software market, and its ability to gain prior access to vulnerability details highlights the issue.

Kevin Hogan, Director of Symantec Security Response, admitted that: 'To a degree, Microsoft has an advantage over others in the IT community, as responsible members of the community are obliged to provide Microsoft with information regarding new vulnerabilities and exploits that affect its OS or applications.

'In the case of malware that uses zero-day exploits, that means giving Microsoft samples of the malware as well. Microsoft can and does leverage its position as the vendor of the OS or application to ensure its security software is kept up-to-date more quickly than other vendors who may not have received that particular sample or have any information. This advantage is especially pronounced when dealing with targeted attacks, where maybe only one vendor has the relevant sample. Such is the case with the malware mentioned in MSA 933052.'

Mikko Hypponen, Chief Research Officer at Finnish security company F-Secure told us the company was in discussions with Microsoft over this issue, but that he couldn't comment further.

Hogan maintained that 'Symantec does not rely on Microsoft's published analysis of malware for our own detections,' but that it uses 'information from Microsoft in our own research to identify signatures and other solutions to protect our own customers from the possible impact of these vulnerability announcements.'

Access to vulnerability details is one of the key fronts in security offerings. Shoring up the means by which an attacker can exploit a vulnerability obviates the need to address each variation of an attack with a separate virus signature. In the case of the LSASS Windows vulnerability, using intrusion prevention systems to close up the vulnerability is the equivalent of fending off the 394 virus variants used to attack the flaw in a single bound.