Silicon Shecky

Infosec Practitioner

Connect

Zero-Day Exploit: A Tale of Two Companies

By Leave a Comment

It is interesting watching how different companies look at patches, and security holes. It is more interesting to see one giant seem to fail at prompt patching for a Zero-Day exploit, while another gives a basic time frame and is pretty much right on as far as when the fix will be out. Of Course the two companies I am talking about are Adobe, and Microsoft.

Adobe released the patch for the JavaScript Vulnerability in all of its Acrobat products this past week. They had said they would have patches out by the 18th, when the flaw was pointed out by Symantec back in February. That is pretty prompt if you ask me. They acknowledge a serious flaw, say when they hope to have a patch available to close it, and then hit that time frame.

The fact of the matter is a great many pieces of software, both closed and open source, take these flaws and vulnerabilities seriously, and are very prompt in patching the holes. Yeah you hear Opens Source people talk about how much quicker they are able to patch things, but they tend to refer to Microsoft, and don’t think about all the other companies out there.

That does bring us to case 2, which just happens to be Microsoft. Back in January, a Zero-Day exploit in Excel was found. Now if a flaw like this had been found in Internet Explorer or Windows, we might have a patch for it already, probably released Out Of Band (not on the normal patch Tuesday every month). Instead, with it only being Excel, we are nearing the end of March, and still no patch for it. Now mind you this exploit was found a month before the Adobe one. Last I check, Excel was a very popular program, used by a lot of individuals and companies. Yet, Microsoft still has no patch for it.

Sure you can say that Excel is a complex program, but so is every program out there in this day and age. Sure you can say that Microsoft is working on it, except I haven’t heard anything about a patch from Microsoft. No expected time frame on getting a patch out, no nothing. Yes, this is the sort of thing the Open Source people feed on, and I can’t blame them.

I use both Microsoft, and Open Source software, so don’t think I’m bashing something I don’t use. Microsoft as a company has come a long way in their patch management, but they still have a long long way to go. Then again so does Linux, but that will be an editorial for another day.

I just want to know that I’m not going to have to deal with clients who get hit by the Excel exploit. Please get us our patch.