"There are 7 advisories and 6 of those are critical issues allowing remote code execution. Basically everything in the core Microsoft world is affected by one or more of these, every supported OS, every version of MS Office, Lync, Silverlight, Visual Studio and .NET. It’s going to be a busy month for security teams everywhere," comments Ross Barrett, Rapid7's senior manager security engineering.
The general feeling is that the patches will include the vulnerability publicly disclosed by Tavis Ormandy. "Three of the bulletins roughly match the profile of the issue Google’s Tavis Ormandy disclosed back in May," said Barrett, "and given the publicity that got, I’d expect it to be patched in this round."
Wolfgang Kandek, CTO at Qualys agrees. "Microsoft will also address a vulnerability (CVE-2013-3660) that has been discussed quite a bit since May, when Tavis Ormandy first posted about a possible way of exploiting a memory managment problem in win32k.sys and soon thereafter several implementations became public (including one in Metasploit), making it in essence a 0-day," he blogged last week.
Researcher Graham Cluley uses the occasion to chastise Ormandy and repeat his support for 'responsible disclosure': "security researchers should engage responsibly with software firms to get problems fixed before revealing details of how they can be exploited." Cluley cites the example of Jack Whitten, who responsibly disclosed an SMS flaw to Facebook.
Whitten has explained his stance to Infosecurity. Referring to Google's new 7-day disclosure timeline, he commented, "I'd be prepared to wait for as long as it takes, within reason. I can understand people doing 'full disclosure' after a lengthy amount of time, such as 6 months, but not after 7 days." On his own disclosure he explained, "Disregarding the legal aspect of it, the bug could have put users in real harm. Consider the possibility of certain countries being able to access the profiles of political activists – their private data could be used to find them. The responsible route provides me with a nice reward and a clear conscience."
Ironically, the potential danger to activist/dissidents is one of the arguments put forward by Google for its 7-day limit. However, all arguments aside, the effect of Ormandy's disclosure is that there is a zero-day exploit out there that is likely to be patched tomorrow. "Patch before you’re pwned," says Cluley.
He adds, "if you are personally responsible for the security of your computer, you might find it easier to check that you have automatic updates enabled."
Sys admins, responsible for company systems, will have a more difficult time. "With six issues marked critical it’s hard to make a determination of patching priority," comments Barrett, "but bulletin 2 stands out because it’s all versions of Windows and requires a restart – meaning it applies to a library or executable which is expected to be running; bulletin 3 because it impacts Windows, Office, Visual Studio and Lync – which tells me a shared library is impacted; and, bulletin 4, the ubiquitous Internet Explorer critical issue, which if nothing else has a broad exposure surface due to IE’s ever dwindling but still dominant market share."