Within hours of Microsoft's critical patch release Tuesday, exploit code for some of the flaws appeared in the wild, security firms sounded the alarm and a familiar debate began anew:
When researchers post details on how to exploit vulnerabilities, are they arming the masses with security-bolstering information? Or are they just nurturing their egos and handing the bad guys a recipe for attack?
Whichever side you take, most security experts tend to agree it's best to patch systems quickly and avoid trouble. After all, attackers have proven several times in recent months that they only need a few days or even hours to successfully target new flaws. But one security expert said it makes no sense to get alarmed every time new exploit code appears.
"When someone mentions that exploit code is out there and warns that it means an attack is imminent, that's over-hype, said Daniel Bezilla, CTO of Herndon, Va.-based Secure Elements. "I think I've only seen a couple vulnerabilities over time where the exploit code wasn't available. Telling someone there's exploit code available for a vulnerability -- that's a given."
In the case of Tuesday's security bulletins from Microsoft, he said exploit code was "essentially released the next day, which tells you they had the code done and were just waiting for the vulnerability details to come out." He added, "Typically, people post exploit information to say 'Hey, I have this and someone else might have it as well.' Once the patch comes out, the value of having the exploit code in your toolbox diminishes in value so you tend to just put it out there. Then it's up to the virus writer to figure out how to leverage it."
As far as Bezilla is concerned, the exploit code to worry about is for vulnerabilities the masses don't know about yet.
As for the vulnerabilities Microsoft outlined Tuesday, here are examples of exploit details that followed:
Dave Aitel, CEO and founder of New York-based Immunity, Inc., released details on how to exploit a message queuing flaw in Windows attackers could use to take over machines and install programs; view, change or delete data; and create new accounts with full user rights.
In a Web site message, Aitel said, "I honestly think it's weird when people talk about patch windows. Your patch window [Tuesday] was 25 minutes or negative five years, depending on how you look at it. Once you accept that [zero-day] exists, you need to look into secondary layers of defense that actually work. Whining about the amount of exploit information available to the public is missing the point."
Meanwhile, the French Security Incident Response Team released details on how to exploit critical flaws in Internet Explorer attackers could also use to take over machines and launch malicious code.
Finnish security firm F-Secure Corp. also noted in its daily blog that exploit code is available for a security hole Microsoft hasn't patched yet.
"Exploit code for a Microsoft Jet Database Engine vulnerability has been published," F-Secure said. "This vulnerability can be exploited to run arbitrary code if the user opens a crafted access database file… It was not addressed by the Microsoft's April security patches released [Tuesday]."
The firm also noted the exploit code available for the Internet Explorer flaws and said, "You really should apply the patch immediately. Often within a few days of these proof-of-concepts appearing, we will start seeing malware that uses the same techniques."