Some at Microsoft expressed the opinion that this flaw would be difficult to exploit, while others thought that the claim was made in an effort to downplay the seriousness of the exploit.
There are real-world implications when protecting against a flaw that requires a patch installation. Installing patches is a non-trivial task for many enterprises, consuming resources that might be better employed elsewhere. So it is reasonable to assume that some IT managers consider the seriousness of a newly announced flaw when establishing their patch-deployment priorities, meaning more serious vulnerabilities will likely be patched before less serious ones. Voila! Now we have a window of opportunity for an attacker.
The real dilemma often lies in the extent to which attack code is publicized. As far as I know, the research firm involved with the Microsoft TCP/IP flaw noted earlier did not release attack code to the public. Furthermore, a fix was already available, and the potential to create an attack was widely known, meaning that, in all likelihood, malicious hackers were already at work on an attack. Nevertheless, the research firm was criticized for exploiting the vulnerability. Having experienced a similar situation myself, two clichés come to mind: "No good deed goes unpunished" and "Damned if you do, damned if you don't."
In 1998, I helped Miora Systems Consulting (MSC) publicize an early Web application vulnerability involving hidden form fields. The company dubbed this vulnerability MSC-HFF, or "mischief," after detecting it on a surprising number of commercial websites, including some big-name banks. My role was to provide a code fix that companies could easily implement, which MSC later released to the public. Some critics claimed that it was a publicity stunt or that this vulnerability was nothing new.
So, it is likely that the decision to go public with attack code will always be a tricky one, and there will always be some people who cry "PR stunt." However, if a security company has developed attack code for a particular vulnerability, it is entirely possible that some malicious parties have already done so. Therefore, such a vulnerability should be taken seriously, regardless of whether the attack code has been published.
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Michael Cobb
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ...continue reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ...continue reading
App trackers were found in hundreds of Google Play apps. Expert Michael Cobb explains the threat they pose and how GDPR has the potential to reduce ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.