This week's RTF zero day in Word was a chance to reach out to the masses. But Microsoft only speaks to engineers and experts.
Years after zero day flaws in popular software were accepted as a pressing security worry vendors are still not thinking through how they communicate them to the general public.
This week’s RTF exploit in all versions of Microsoft Word (including Macs) offers a telling case in point. Here is the description of the issue - one affecting potentially every Word user remember - in its blog announcement accompanying several other pages of technical explanation.
“The in the wild exploit takes advantage of an unspecified RTF parsing vulnerability combined with an ASLR bypass, which depends by a module loaded at predictable memory address,” reads one important description.
“First, our tests showed that EMET default configuration can block the exploits seen in the wild. In this case, EMET’s mitigations such as “Mandatory ASLR” and anti-ROP features effectively stop the exploit,” it continues by way of advice.
There is nothing wrong with this explanation - if you’re a technical expert or a professional. The average user looking to temporarily fix a flaw for which there is no patch as yet would have found this utterly baffling.
It’s an issue that has been on the fringes of security debate for years and the consensus emerged that it doesn’t matter whether the average computer user understands the nature of security flaws as long as they can be persuaded to turn on automatic updates. But for flaws that require user intervention out of the patch cycle that assumption fails.
In Microsoft’s defence, in this case it did offer an automatic ‘fix it’ on a separate page, if you were lucky enough to find that. More likely, consumers will receive no protection against RTF exploits circulating in the wild until the April Patch Tuesday.
My thanks to Blue Coat’s director of threat research Andrew Brandt for drawing attention to this in his lucid and illuminating blog discussing the flaw but it is far from the only or first example of poor security flaw communication.
Luckily, as Brandt also points out, the attackers wielding the zero day appear to have nuked their chances of using it to the maximum by making stupid mistakes such as using the wrong file extension (changing the way it is opened by Word) and hitting systems with an installer for Zbot that ‘blue screens’ the target system so badly it won’t even boot beyond a drab olive error screen.
So this zero day will turn out to be less serious than it could have been. But Microsoft and its peers will regret their inability to explain a relatively simple flaw to ordinary users if the criminals get their attack engineering and timing right next time.