Microsoft says it is patching the zero-day vulnerability in its ubiquitous Office suite of software applications revealed last week by McAfee.
“We plan to address this through an update on Tuesday, April 11, and customers who have updates enabled will be protected automatically,” Microsoft said in a company statement emailed to CyberScoop. “Meanwhile, we encourage customers to practice safe computing habits online, including exercising caution before opening unknown files … to avoid this type of issue.”
The vulnerability would allow a hacker to remotely take over a targeted computer — even one fully patched and up to date — as soon as the user opens an attachment. It exploits a flaw in Windows’ Object Linking and Embedding (OLE), an important feature of Office, which lets users embed or link to other Office documents, like spreadsheets or charts.
But Microsoft initially learned of the vulnerability several weeks ago, from security firm FireEye, who had privately disclosed their findings to the software giant and were working with them on an update to Office software that would fix the problem.
Microsoft has, for nearly a decade and a half, issued patches and updates the second Tuesday of every month.
FireEye said this kind of disclosure to software vendors was standard operational procedure for them.
“We work very closely with Microsoft on a regular basis … Any time we find anything suspicious related to one of their products, we get in touch with them through MAPP [the Microsoft Active Protections Program, a company partnership with security vendors]. That’s standard operation for us,” the Senior Director of FireEye’s Research Lab Matthew Allen told CyberScoop.
Allen said, because the security company tended to see vulnerabilities that were being actively exploited by hackers in the wild, vendors tended to be very responsive. Zero-day vulnerabilities are so-called because they have not been previously disclosed — meaning companies have “zero days” to fix them.
“This is different from a bug bounty program,” he said, when security researchers comb through code or experiment with software, trying to find gaps or holes that might be exploitable. “When you have a zero-day being exploited out there in the wild, in its customer base, that’s a very high priority for any vendor, because there’s no patch available.”
After reaching out to Microsoft, Allen said, “We give them as much information as we can” — being sensitive to the privacy and security of their clients, who may not want revealing details released — “We coordinate with them so they can understand what we’re seeing” on the client’s network, and help them to develop a patch. He said the collaboration went “back and forth … They’ve been very responsive.”
“From my point of view, [Microsoft’s attitude] has been very positive,” he said, acknowledging that others might have had different experiences.
Allen said FireEye decided about disclosing vulnerabilities on a “case by case basis,” but added, “generally, we don’t disclose before a patch is available.”
Cooperating with vendors so that a vulnerability and its patch are revealed simultaneously is called coordinated vulnerability disclosure, or CVD. It’s considered the ethical gold standard in security research or white-hat hacking.
“We ask the security research community to give us an opportunity to correct a vulnerability before publicly disclosing it, as we ourselves do when we discover vulnerabilities in other vendors’ products,” says the Microsoft website.
So why did McAfee go public right away? Their blog posting last week says they found the exploit on Thursday and published news of it Friday.
Allen declined to comment on McAfee’s decision, as did Microsoft. McAfee itself declined comment.
Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council, declined to speculate about McAfee’s reasoning in this particular case, but said if a zero-day was being actively exploited in the wild, the disclosure calculus was different.
“Outside of this example, when attacks are already happening in the wild, there is an instinct to share and help when people are actively being exploited. Irrespective of a patch being available, there may be workarounds or other ways to reduce your risk of being blind-sided.”
Indeed, in their blog post, McAfee suggest a workaround — using the Windows security feature called “protected view.”
The McAfee post also does not disclose any technical details of the vulnerability, distinguishing it from a classic vulnerability disclosure, in which the technical details are laid out — sometimes accompanied by an actual “proof of concept” exploit: A piece of software that takes advantage of the vulnerability.
But the post does say that the exploit takes advantage of OLE — and even that might be useful to a would-be attacker looking to duplicate it, said Allen.
“Any disclosure does add risk … it narrows the search down … The more information that’s disclosed, the easier it is” to replicate the exploit.
Allen acknowledged that “it would take a skilled research team” to recreate the OLE vulnerability, but added, “We know there are threat actors out there who have that facility.”