By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Some at Microsoft expressed the opinion that this flaw would be difficult to exploit, while others thought that the claim was made in an effort to downplay the seriousness of the exploit.
There are real-world implications when protecting against a flaw that requires a patch installation. Installing patches is a non-trivial task for many enterprises, consuming resources that might be better employed elsewhere. So it is reasonable to assume that some IT managers consider the seriousness of a newly announced flaw when establishing their patch-deployment priorities, meaning more serious vulnerabilities will likely be patched before less serious ones. Voila! Now we have a window of opportunity for an attacker.
The real dilemma often lies in the extent to which attack code is publicized. As far as I know, the research firm involved with the Microsoft TCP/IP flaw noted earlier did not release attack code to the public. Furthermore, a fix was already available, and the potential to create an attack was widely known, meaning that, in all likelihood, malicious hackers were already at work on an attack. Nevertheless, the research firm was criticized for exploiting the vulnerability. Having experienced a similar situation myself, two clichés come to mind: "No good deed goes unpunished" and "Damned if you do, damned if you don't."
In 1998, I helped Miora Systems Consulting (MSC) publicize an early Web application vulnerability involving hidden form fields. The company dubbed this vulnerability MSC-HFF, or "mischief," after detecting it on a surprising number of commercial websites, including some big-name banks. My role was to provide a code fix that companies could easily implement, which MSC later released to the public. Some critics claimed that it was a publicity stunt or that this vulnerability was nothing new.
So, it is likely that the decision to go public with attack code will always be a tricky one, and there will always be some people who cry "PR stunt." However, if a security company has developed attack code for a particular vulnerability, it is entirely possible that some malicious parties have already done so. Therefore, such a vulnerability should be taken seriously, regardless of whether the attack code has been published.
Dig Deeper on Vulnerability Risk Assessment
Related Q&A from Michael Cobb
Many large enterprises have their own internal public key infrastructure. Expert Michael Cobb explains the considerations organizations should make ...continue reading
Network administrators typically resist policies for separate accounts when performing different tasks. Expert Michael Cobb explains the risk of ...continue reading
Microsoft is banning weak passwords on many of its services with the Smart Password Lockout feature. Expert Michael Cobb explains how it works, and ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.