Bug bounty program reveals 22 unpatched flaws, 5 in Office

New TippingPoint deadline kicks in to expose bugs, some more than two years old, in Microsoft, IBM, HP software

As it promised last year, on Monday the world's biggest bug bounty program released information about nearly two dozen unpatched vulnerabilities, including five in Microsoft Office, after deadlines expired.

The disclosure of 22 bugs -- some of them reported to their developers over two-and-a-half years ago -- resulted from a change announced six months ago by HP TippingPoint, whose Zero Day Initiative (ZDI) buys more bugs from independent researchers than any other program.

Last August, TippingPoint said it would enforce a six-month disclosure deadline, and would publish information about the bugs it bought if the flaws had not been patched before then. Previously, ZDI's policy was to indefinitely withhold a vulnerability after reporting it to a vendor, publishing its own advisory only after a patch had been issued.

Today, TippingPoint rolled out the first advisories for vulnerabilities whose deadlines had expired.

Nine of the 22 flaws were in IBM software, five were in Microsoft programs, four were in Hewlett-Packard code and one each affected CA, EMC, Novell and SCO.

All five of the Microsoft vulnerabilities disclosed by TippingPoint were in Office applications: Four were in Excel, with the fifth in PowerPoint, the suite's presentation manager.

Microsoft said it had intended to patch the five flaws today as part of its monthly Patch Tuesday security updates, but backed away at the last minute.

"Microsoft was aware of the five vulnerabilities disclosed by ZDI and was working to address them as part of our regular February bulletin release cycle," Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC). "However, during the process, we discovered issues that we determined would have prevented customer deployment and we chose to withdraw them for further development."

TippingPoint reported four of the five still-unpatched Microsoft vulnerabilities to the Redmond, Wash. developer more than seven months ago.

"The point of the deadline was so that vendors don't sit on vulnerabilities," said Dan Holden, the director of TippingPoint's DVLabs, echoing comments made by others at TippingPoint last August when the company slapped a deadline on disclosures. "It's like compliance for the security industry. This gives vendors a deadline to meet, to get compliant. We don't want vulnerabilities to be out there for years."

TippingPoint's decision to add a disclosure deadline followed similar moves by others last summer. In July 2010, Google reignited the debate about bug reporting with a proposal that featured, among other things, a call that researchers set a 60-day deadline. Under Google's plan, researchers would be free to take their findings public if a patch wasn't produced by the two-month deadline.

Days later, Microsoft responded by saying it wanted to change the term "responsible disclosure" to "coordinated vulnerability disclosure" to better reflect its policy and to remove the loaded word "responsible" from the discussion.

When TippingPoint announced its deadline last year, Microsoft didn't much care for it. "Only in the event of active attacks..." should bugs be revealed before a patch is ready, said Dave Forstrom, director of Microsoft's Trustworthy Computing group, last year. "And even then it should be coordinated as closely as possible."

Today, Bryant said in an e-mail reply to questions only that, "Microsoft appreciates that ZDI chose to reveal relatively little information about individual vulnerabilities, diminishing the likelihood that attackers could use the information to put customers at risk."

TippingPoint's advisories don't spell out how an unpatched bug can be triggered, but do offer general information on where the bug resides, and in many cases, provides workarounds to help protect users until a fix is released.

"We only release a general description of the vulnerability, not specifically where it is," said Aaron Portnoy, manager of TippingPoint's security research team. "And we release mitigations, some that have come from the vendors, some from the [independent] researchers [who report the flaws] and some suggested by our own team.

"We're only concerned with what actually works, not where it came from," added Portnoy, talking about the workarounds.

All five of TippingPoint's advisories for Microsoft bugs include recommendations users can take to defend their PCs until a patch is produced.

Portnoy labeled the disclosure policy change a success. "The response has been overwhelmingly positive," he said, adding that nearly 90% of the bugs reported to the bounty program since last August had been patched within their six-month deadlines.

And he called Microsoft "generally appreciative" of the new deadlines.

"Individuals [at Microsoft's security team] completely understand the reasons, and have been pretty supportive, even if the company as a whole is not happy," said Portnoy. He added that TippingPoint had seen no "push back" from any vendor about the deadlines.

TippingPoint did extend its deadlines on some vulnerabilities -- in Microsoft, Apple and Sun Microsystems software -- for a variety of reasons said Portnoy, including change of ownership, a factor that played a part in the decision for the Sun bugs.

Sun was acquired by Oracle last year. "When a new company comes in, we give them another six months," said Portnoy.

Extensions were given Microsoft in some cases because the bugs will be patched later today as part of the regularly-scheduled monthly security updates.

TippingPoint's advisories for the unpatched vulnerabilities, including Microsoft's, have been published on its site.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityMalware and VulnerabilitiesHewlett-Packard

More about AppleCA TechnologiesEMC CorporationExcelGoogleHewlett-Packard AustraliaHolden- General MotorsHPIBM AustraliaIBM AustraliaMicrosoftNovellOracleSCOSun MicrosystemsTippingPointTippingPoint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts