Bug Bounty Program Reveals 22 Unpatched Flaws, 5 in Office

As it promised last year, the world's biggest bug bounty program released information about nearly two dozen unpatched vulnerabilities, including five in Microsoft Office, after deadlines expired.

The disclosure of 22 bugs -- some of them reported to their developers over two-and-a-half years ago -- resulted from a change announced six months ago by HP TippingPoint, whose Zero Day Initiative (ZDI) buys more bugs from independent researchers than any other program.

Last August, TippingPoint said it would enforce a six-month disclosure deadline, and would publish information about the bugs it bought if the flaws had not been patched before then. Previously, ZDI's policy was to indefinitely withhold a vulnerability after reporting it to a vendor, publishing its own advisory only after a patch had been issued.

TippingPoint rolled out the first advisories for vulnerabilities whose deadlines had expired.

Nine of the 22 flaws were in IBM software, five were in Microsoft programs, four were in Hewlett-Packard code and one each affected CA, EMC, Novell and SCO.

All five of the Microsoft vulnerabilities disclosed by TippingPoint were in Office applications: Four were in Excel, with the fifth in PowerPoint, the suite's presentation manager.

Microsoft said it had intended to patch the five flaws as part of its monthly patch of security updates, but backed away at the last minute.

"Microsoft was aware of the five vulnerabilities disclosed by ZDI and was working to address them as part of our regular February bulletin release cycle," Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC). "However, during the process, we discovered issues that we determined would have prevented customer deployment and we chose to withdraw them for further development."

TippingPoint reported four of the five still-unpatched Microsoft vulnerabilities to the Redmond, Wash., developer more than seven months ago.

"The point of the deadline was so that vendors don't sit on vulnerabilities," said Dan Holden, the director of TippingPoint's DVLabs, echoing comments made by others at TippingPoint last August when the company slapped a deadline on disclosures. "It's like compliance for the security industry. This gives vendors a deadline to meet, to get compliant. We don't want vulnerabilities to be out there for years."

TippingPoint's decision to add a disclosure deadline followed similar moves by others last summer. In July 2010, Google reignited the debate about bug reporting with a proposal that featured, among other things, a call that researchers set a 60-day deadline. Under Google's plan, researchers would be free to take their findings public if a patch wasn't produced by the two-month deadline.

Days later, Microsoft responded by saying it wanted to change the term "responsible disclosure" to "coordinated vulnerability disclosure" to better reflect its policy and to remove the loaded word "responsible" from the discussion.

When TippingPoint announced its deadline last year, Microsoft didn't much care for it. "Only in the event of active attacks..." should bugs be revealed before a patch is ready, said Dave Forstrom, director of Microsoft's Trustworthy Computing group, last year. "And even then it should be coordinated as closely as possible."

Bryant said in an e-mail reply to questions only that, "Microsoft appreciates that ZDI chose to reveal relatively little information about individual vulnerabilities, diminishing the likelihood that attackers could use the information to put customers at risk."

TippingPoint's advisories don't spell out how an unpatched bug can be triggered, but do offer general information on where the bug resides, and in many cases, provides workarounds to help protect users until a fix is released.

"We only release a general description of the vulnerability, not specifically where it is," said Aaron Portnoy, manager of TippingPoint's security research team. "And we release mitigations, some that have come from the vendors, some from the [independent] researchers [who report the flaws] and some suggested by our own team.

"We're only concerned with what actually works, not where it came from," added Portnoy, talking about the workarounds.

All five of TippingPoint's advisories for Microsoft bugs include recommendations users can take to defend their PCs until a patch is produced.

Portnoy labeled the disclosure policy change a success. "The response has been overwhelmingly positive," he said, adding that nearly 90% of the bugs reported to the bounty program since last August had been patched within their six-month deadlines.

And he called Microsoft "generally appreciative" of the new deadlines.

"Individuals [at Microsoft's security team] completely understand the reasons, and have been pretty supportive, even if the company as a whole is not happy," said Portnoy. He added that TippingPoint had seen no "push back" from any vendor about the deadlines.

TippingPoint did extend its deadlines on some vulnerabilities -- in Microsoft, Apple and Sun Microsystems software -- for a variety of reasons said Portnoy, including change of ownership, a factor that played a part in the decision for the Sun bugs.

Sun was acquired by Oracle last year. "When a new company comes in, we give them another six months," said Portnoy.

Extensions were given Microsoft in some cases because the bugs will be patched later today as part of the regularly-scheduled monthly security updates.

TippingPoint's advisories for the unpatched vulnerabilities, including Microsoft's, have been published on its site.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Subscribe to the Security Watch Newsletter

Comments