RSSSymantec Struggles to Separate 'Exploit' From 'Vulnerability'
By Scott M. Fulton, III | Published February 2, 2007, 11:28 AM
A tremendous amount of confusion has arisen in recent days over whether security firm Symantec actually discovered a new vulnerability in Microsoft Word three days ago, or simply uncovered a new exploit of an existing problem that Microsoft already acknowledged. In what appears to be an effort at backtracking, Symantec today appears to be saying both simultaneously.
In a blog posting three days ago, a Symantec engineer stated the company had found new Word documents which its anti-virus program already detected as Trojan.Mdropper.X. "We believe this is a new vulnerability, making it the fifth currently unpatched Office file format vulnerability," the engineer wrote, even though the anti-virus program obviously reported this as an existing exploit.
Elsewhere on Symantec's Web site, Trojan.Mdropper.X is described as a separate exploit of an existing vulnerability; and a Google cached copy of the document from days earlier revealed the page made this same distinction earlier.
"While these documents are being used in a targeted attack consistent with previous cases," the blog posting continued, "we have received different documents that use this same exploit from multiple organizations," not explaining how the documents received from users could be utilizing the same exploit, though a different vulnerability.
In an update to the blog posting yesterday, the waters may have been muddied even further, as Symantec stated the new "vulnerability" - not "exploit" - was in fact confirmed by Microsoft to be a variation of an older "vulnerability." Meanwhile, elsewhere on the same Web site, Symantec updated its summary to state that Trojan.Mdropper.X was a new exploit, not a new vulnerability.
But the damage had already been done, as press sources who read one part of Symantec's Web site but not the other were trumpeting the discovery of a fifth unpatched vulnerability from Microsoft. One headline, "Word Zero-Day Count Up to Five," was updated on Wednesday to read, "Microsoft Disputes Word Zero-day Report." Elsewhere, a British security blog touted the "discovery" as an achievement worth celebrating, with the headline, "Give Me Five!"
Typically, a "zero-day" is an exploit discovered to be taking advantage of a vulnerability within roughly the same day after the initial reports of its existence. So it would seem difficult to explain how the fifth exploit of a vulnerability, the type of which Symantec discovered in March 2005, qualifies as a "zero-year," let alone a "zero-day."
Other services, such as SANS Internet Storm Center, found themselves having to sort through the semantic mess, pardon the pun, for themselves. Meanwhile, services such as Secunia find themselves this morning in the unique position of being able to credit themselves for not having reported a new exploit, vulnerability, zero-day, or whatever, when a report wasn't warranted.
In a bulletin this morning, Secunia's Ina Ragragio wrote, "There were reports that a new malware sample had been found that exploited what seemed to be a new vulnerability in MS Word. Unfortunately, a lot of other vulnerability tracking outfits decided to write about it. However, it was later determined by Microsoft and Secunia that these new reports were mere speculations, and that the new malware sample indeed used the previously disclosed 0-day vulnerability (the one reported January 26th). The difference between the two malware samples were in their payloads, but the vulnerability exploited was the same."
Who cares!?
The only pertinent issue is:
Do they have a fix or not?
Score: 0
|Well, perhaps you asked the question rhetorically, foxfyre, but let me respond to it anyway: The professional system administrator cares, a very great deal. This is somebody who has to keep these things distinguished and in order, and when a security firm says there's a new vulnerability and then has to say, no, wait, we didn't mean vulnerability per se, that's more confusion than the admin wants to deal with. Perhaps a general consumer can afford to have a "Who cares?" mindset about the whole thing, but then if security companies become so confused that they can't serve that consumer with the automatic sense of comfort and security that he passively demands, then the moment the world falls apart for that consumer after having opened up a malicious document, he won't be blaming the author of that document.
It's a semantic problem.
-SF3
Score: 0
|its a Symantec problem :P
Score: 0
|Admins have to deal with exploits as well as vulnerabilities, we don't really care what they're called. Replace those words with "bad thing" and it will mean the same to us. The rest is just marketing and PR.
Score: 0
|damn you beat me to it. ;)
Symantec is good at one thing: gobbling up good, smaller companies and making their products disappear or overbloating them with garbage.
Score: 0
|ROFLMAO! It's not a rhetorical question, it is a question of meaningless semantics! Exactly the point to what my original post made reference. Duh!
Who cares if it is called a vulnerability or an exploit.
It indicates a Windows security vector and it should be resolved.
Therefore the only real issue of importance is: Is there a resolution?
And you might qualify just who this effects. It effects Only Windows admins, not the various manifestations of UNIX systems whose admins are free to worry about issues of more substance.
But maybe Windows admins do worry over what to call it. The rest of the world already knows.
But we can't slip one past those swooft Windows Admins.
Score: 0
|