Security: just a marketing problem

At first glance, Microsoft™ Security Bulletin MS04-009: Vulnerability in Microsoft™ Outlook Could Allow Code Execution (828040) may look like just one more of many YARX – Yet Another Remote eXploit.

After the user has visited the malicious Web site or viewed the malicious HTML e-mail message an attacker who successfully exploited this vulnerability could access files on a user’s system or run arbitrary code on a user’s system.

It is easy to understand that this vulnerability can be exploited to install a backdoor or a trojan on an affected system without requiring user intervention and without the user noticing. Of course it isn’t the first hole with that kind of magnitude. What distinguishes it is the fact that the bulletin was reissued. :he reason for doing so is particularly noteworthy:

Subsequent to the release of this bulletin, it was determined that this vulnerability could also affect users who do not have the “Outlook Today” folder home page as their default home page in Outlook 2002. As a result, Microsoft has re-released this bulletin with a new severity rating of “critical” to reflect the expanded attack vector.

This offers an interesting insight into the Microsoft assessment process. Apparently, the fact alone that a vulnerability leaves victims completely open to attack is just not enough to make Microsoft consider it “critical” – it also has to affect a lot of users. Otherwise it’s just “important”. It might even be considered just “moderate” if it was in some obscure, rarely excercised code path. Of course it is entirely conceivable that since Microsoft was informed on July 21st, 2003, a mere 10 months before they reissued the bulletin, they just didn’t have enough time to properly gauge the impact of this hole.

Politics at their finest, and once again an excellent demonstration that no company must ever be trusted with a position such as the one Microsoft currently occupies. Because if I was an enterprise like them, I’d probably be doing the same.