Symantec Struggles to Separate 'Exploit' From 'Vulnerability'
A tremendous amount of confusion has arisen in recent days over whether security firm Symantec actually discovered a new vulnerability in Microsoft Word three days ago, or simply uncovered a new exploit of an existing problem that Microsoft already acknowledged. In what appears to be an effort at backtracking, Symantec today appears to be saying both simultaneously.
In a blog posting three days ago, a Symantec engineer stated the company had found new Word documents which its anti-virus program already detected as Trojan.Mdropper.X. "We believe this is a new vulnerability, making it the fifth currently unpatched Office file format vulnerability," the engineer wrote, even though the anti-virus program obviously reported this as an existing exploit.
Elsewhere on Symantec's Web site, Trojan.Mdropper.X is described as a separate exploit of an existing vulnerability; and a Google cached copy of the document from days earlier revealed the page made this same distinction earlier.
"While these documents are being used in a targeted attack consistent with previous cases," the blog posting continued, "we have received different documents that use this same exploit from multiple organizations," not explaining how the documents received from users could be utilizing the same exploit, though a different vulnerability.
In an update to the blog posting yesterday, the waters may have been muddied even further, as Symantec stated the new "vulnerability" - not "exploit" - was in fact confirmed by Microsoft to be a variation of an older "vulnerability." Meanwhile, elsewhere on the same Web site, Symantec updated its summary to state that Trojan.Mdropper.X was a new exploit, not a new vulnerability.
But the damage had already been done, as press sources who read one part of Symantec's Web site but not the other were trumpeting the discovery of a fifth unpatched vulnerability from Microsoft. One headline, "Word Zero-Day Count Up to Five," was updated on Wednesday to read, "Microsoft Disputes Word Zero-day Report." Elsewhere, a British security blog touted the "discovery" as an achievement worth celebrating, with the headline, "Give Me Five!"
Typically, a "zero-day" is an exploit discovered to be taking advantage of a vulnerability within roughly the same day after the initial reports of its existence. So it would seem difficult to explain how the fifth exploit of a vulnerability, the type of which Symantec discovered in March 2005, qualifies as a "zero-year," let alone a "zero-day."
Other services, such as SANS Internet Storm Center, found themselves having to sort through the semantic mess, pardon the pun, for themselves. Meanwhile, services such as Secunia find themselves this morning in the unique position of being able to credit themselves for not having reported a new exploit, vulnerability, zero-day, or whatever, when a report wasn't warranted.
In a bulletin this morning, Secunia's Ina Ragragio wrote, "There were reports that a new malware sample had been found that exploited what seemed to be a new vulnerability in MS Word. Unfortunately, a lot of other vulnerability tracking outfits decided to write about it. However, it was later determined by Microsoft and Secunia that these new reports were mere speculations, and that the new malware sample indeed used the previously disclosed 0-day vulnerability (the one reported January 26th). The difference between the two malware samples were in their payloads, but the vulnerability exploited was the same."