By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Some at Microsoft expressed the opinion that this flaw would be difficult to exploit, while others thought that the claim was made in an effort to downplay the seriousness of the exploit.
There are real-world implications when protecting against a flaw that requires a patch installation. Installing patches is a non-trivial task for many enterprises, consuming resources that might be better employed elsewhere. So it is reasonable to assume that some IT managers consider the seriousness of a newly announced flaw when establishing their patch-deployment priorities, meaning more serious vulnerabilities will likely be patched before less serious ones. Voila! Now we have a window of opportunity for an attacker.
The real dilemma often lies in the extent to which attack code is publicized. As far as I know, the research firm involved with the Microsoft TCP/IP flaw noted earlier did not release attack code to the public. Furthermore, a fix was already available, and the potential to create an attack was widely known, meaning that, in all likelihood, malicious hackers were already at work on an attack. Nevertheless, the research firm was criticized for exploiting the vulnerability. Having experienced a similar situation myself, two clichés come to mind: "No good deed goes unpunished" and "Damned if you do, damned if you don't."
In 1998, I helped Miora Systems Consulting (MSC) publicize an early Web application vulnerability involving hidden form fields. The company dubbed this vulnerability MSC-HFF, or "mischief," after detecting it on a surprising number of commercial websites, including some big-name banks. My role was to provide a code fix that companies could easily implement, which MSC later released to the public. Some critics claimed that it was a publicity stunt or that this vulnerability was nothing new.
So, it is likely that the decision to go public with attack code will always be a tricky one, and there will always be some people who cry "PR stunt." However, if a security company has developed attack code for a particular vulnerability, it is entirely possible that some malicious parties have already done so. Therefore, such a vulnerability should be taken seriously, regardless of whether the attack code has been published.
Dig Deeper on Vulnerability Risk Assessment
Related Q&A from Michael Cobb
A privacy breach at ClixSense led to user account details being put up for sale. Expert Michael Cobb explains how companies should be held ...continue reading
A password-verification flaw in iOS 10 allowed attackers to decrypt local backups. Expert Michael Cobb explains how removing certain security checks ...continue reading
HTTP public key pinning, a security mechanism to prevent fraudulent certificates, was not used by Firefox, and left it open to attack. Expert Michael...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.