By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Some at Microsoft expressed the opinion that this flaw would be difficult to exploit, while others thought that the claim was made in an effort to downplay the seriousness of the exploit.
There are real-world implications when protecting against a flaw that requires a patch installation. Installing patches is a non-trivial task for many enterprises, consuming resources that might be better employed elsewhere. So it is reasonable to assume that some IT managers consider the seriousness of a newly announced flaw when establishing their patch-deployment priorities, meaning more serious vulnerabilities will likely be patched before less serious ones. Voila! Now we have a window of opportunity for an attacker.
The real dilemma often lies in the extent to which attack code is publicized. As far as I know, the research firm involved with the Microsoft TCP/IP flaw noted earlier did not release attack code to the public. Furthermore, a fix was already available, and the potential to create an attack was widely known, meaning that, in all likelihood, malicious hackers were already at work on an attack. Nevertheless, the research firm was criticized for exploiting the vulnerability. Having experienced a similar situation myself, two clichés come to mind: "No good deed goes unpunished" and "Damned if you do, damned if you don't."
In 1998, I helped Miora Systems Consulting (MSC) publicize an early Web application vulnerability involving hidden form fields. The company dubbed this vulnerability MSC-HFF, or "mischief," after detecting it on a surprising number of commercial websites, including some big-name banks. My role was to provide a code fix that companies could easily implement, which MSC later released to the public. Some critics claimed that it was a publicity stunt or that this vulnerability was nothing new.
So, it is likely that the decision to go public with attack code will always be a tricky one, and there will always be some people who cry "PR stunt." However, if a security company has developed attack code for a particular vulnerability, it is entirely possible that some malicious parties have already done so. Therefore, such a vulnerability should be taken seriously, regardless of whether the attack code has been published.
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Michael Cobb
Geofencing technology is increasingly being used as a security tactic, such as to control access to servers with DNS settings. Expert Michael Cobb ...continue reading
After a remote code execution flaw in PHPMailer was patched, the problem persisted, and had to be repatched. Expert Michael Cobb explains how the ...continue reading
The same-origin security feature in Adobe Flash Player was implemented incorrectly, allowing local attackers to spy on users. Expert Michael Cobb ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.