Researchers clam up about Microsoft's rush patches

Microsoft Corp. has dropped a cone of silence over several security researchers who have recently divulged details of the vulnerabilities that the company will patch later today with a pair of emergency updates.

Yesterday, security experts involved with two separate lines of research declined to comment further about the findings they had already published, saying or hinting that they were doing so at Microsoft's request.

The practice is certainly unusual, said a researcher who was not involved in the investigations. "It's not uncommon for vendors to ask researchers to withhold information," said Andrew Storms, director of security operations at nCircle Network Security Inc. "But it's more like a gentlemen's agreement, where the vendor says, 'Here's the date we'll patch, and after that you can disclose whatever you want.'"

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Microsoft Corp. has dropped a cone of silence over several security researchers who have recently divulged details of the vulnerabilities that the company will patch later today with a pair of emergency updates.

Yesterday, security experts involved with two separate lines of research declined to comment further about the findings they had already published, saying or hinting that they were doing so at Microsoft's request.

The practice is certainly unusual, said a researcher who was not involved in the investigations. "It's not uncommon for vendors to ask researchers to withhold information," said Andrew Storms, director of security operations at nCircle Network Security Inc. "But it's more like a gentlemen's agreement, where the vendor says, 'Here's the date we'll patch, and after that you can disclose whatever you want.'"

At the Black Hat security conference on Wednesday, Ryan Smith, Mark Dowd and David Dewey are scheduled to show how to bypass the "kill-bit" mechanism that Microsoft frequently deploys to shut down buggy ActiveX controls. The company used the technique July 14 to disable a video-streaming ActiveX control used by Internet Explorer because it wasn't able to fully patch the underlying problem in time.

Smith is a vulnerability researcher at VeriSign iDefense, while Dowd and Dewey both work for IBM Internet Security Systems' X-Force team.

Although Smith has already posted a video that demonstrates that he, Dowd and Dewey were able exploit a kill-bit copy of IE, Smith said yesterday he couldn't answer questions about their research or confirm that it had prompted Microsoft to rush out its "out-of-cycle" patches.

"There's currently a trifecta-style embargo on my sharing information," Smith said in an e-mail. "Right now, all I'm allowed to say is that we've been working with Microsoft, and the update to be released tomorrow is going to address some of the issues to be [covered] in our speech on Wednesday at 3:15 p.m. PT."

Smith said the embargo would be lifted once Microsoft issues the emergency patches.

German security researcher Dennis Elser also declined yesterday to answer questions about the research he and Thomas Dullien, the CEO and head of research at Zynamics GmbH, have published claiming that the vulnerabilities to be patched today exist in several critical components of Windows and an unknown number of third-party applications.

Dullien, under his researcher moniker of "Halvar Flake," first posted details of his work with Elser on July 9, a week before Microsoft delivered the kill-bit update to cripple the flawed ActiveX control.

According to Elser, Dullien was asked by Microsoft to refrain from commenting on what the two had found, and Elser said he was taking the same tack. However, he was willing to speculate about what Microsoft's request meant. "The fact they asked Halvar [Flake] to not comment any further, plus his two latest blog posts are evidence enough, at least for me, to assume that they're going to patch the vulnerability within ATL (the msvidctl.dll issue) [today]," said Elser in an e-mail yesterday.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.