News 

The MSA 933052 vulnerability affects Office 2000 and XP and has the potential for a remote attacker to run arbitrary code on the target computer.

There are already reports of what Microsoft describes as 'very limited, targeted attacks attempting to exploit this'.

It says that it 'has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability,' and that it 'intends to actively share information with Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks.'

In short: for the time being Microsoft OneCare customers are protected. Customers using software from rivals such as Symantec, McAfee, F-Secure, Kaspersky and others may not be.

Microsoft told us that: 'Live OneCare had been updated earlier. The current attacks that seek to exploit the vulnerability in Microsoft Security Advisory 933052 also aim to exploit other, older vulnerabilities for which security updates are already available, and Microsoft previously added detection for malware that attempted to exploit those issues.

'As part of the regular security response process, this information will be made available as soon as possible to partners through the Microsoft Security Response Alliance (MSRA), which is a comprehensive organization that allows industry partners and governments to share information and best practices to help protect customers from malicious threats.'

Eyebrows were raised about the possible anticompetitiveness of Microsoft entering the consumer security software market, and its ability to gain prior access to vulnerability details highlights the issue.

Kevin Hogan, Director of Symantec Security Response, admitted that: 'To a degree, Microsoft has an advantage over others in the IT community, as responsible members of the community are obliged to provide Microsoft with information regarding new vulnerabilities

ADVERTISEMENT

and exploits that affect its OS or applications.

'In the case of malware that uses zero-day exploits, that means giving Microsoft samples of the malware as well. Microsoft can and does leverage its position as the vendor of the OS or application to ensure its security software is kept up-to-date more quickly than other vendors who may not have received that particular sample or have any information. This advantage is especially pronounced when dealing with targeted attacks, where maybe only one vendor has the relevant sample. Such is the case with the malware mentioned in MSA 933052.'

Mikko Hypponen, Chief Research Officer at Finnish security company F-Secure told us the company was in discussions with Microsoft over this issue, but that he couldn't comment further.

Hogan maintained that 'Symantec does not rely on Microsoft's published analysis of malware for our own detections,' but that it uses 'information from Microsoft in our own research to identify signatures and other solutions to protect our own customers from the possible impact of these vulnerability announcements.'

Access to vulnerability details is one of the key fronts in security offerings. Shoring up the means by which an attacker can exploit a vulnerability obviates the need to address each variation of an attack with a separate virus signature. In the case of the LSASS Windows vulnerability, using intrusion prevention systems to close up the vulnerability is the equivalent of fending off the 394 virus variants used to attack the flaw in a single bound.

Hogan added that despite Microsoft's advantages, it doesn't appear to have been successful against its competitors. 'That's not to say that this [early access to vulnerability details] benefits Microsoft across the board. While ownership of the OS and malware reporting tools that ship with OS updates and send back infection information and samples is advantage enough, it doesn't necessarily seem to have benefited them to the degree you'd expect based on our own internal and third-party evaluation of their security offerings.'

Even so, it's relatively early days for Microsoft's consumer security software. Built around expertise bought in from Romanian antivirus company GeCAD, OneCare only launched in the US in the middle of last year, hitting UK shores in January 2007.

It failed VirusBulletin's round up of antivirus software for Vista, and according to Symantec-commissioned research fared poorly in comparison with the competition when it came to detecting rootkits and spyware. However, OneCare was the only antispyware software to clean up 100 per cent of the spyware it found.