The Web    Google
A Jump on Security Advisories (For a Fee)

A Jump on Security Advisories (For a Fee)
April 15, 2005

Microsoft's mammoth release of 18 patches this week may have surprised some, but not customers of network security firm iDefense.

Microsoft's own publicly disclosed advanced notice of its patch plans, released last week, did not include mention of known Internet Explorer vulnerabilities, but iDefense customers did know about them.

In fact, of the 18 vulnerabilities that Microsoft issued patches for this week, four of them were discovered by the Reston, Virginia-based iDefense.

Among them were the Internet Explorer DHTML Engine Race Condition, Internet Explorer Long Hostname Heap Corruption Vulnerability, MSHTA Script Execution Vulnerability and the CSRSS.EXE Stack Overflow Vulnerability.

All four of those vulnerabilities were actually reported to iDefense via its Vulnerability Contributor Program (VCP), which offers monetary rewards to independent security researchers that find vulnerabilities.

"iDefense clients did know about it ahead of time actually an average of 145 days ahead of the public disclosure," Michael Sutton, director of iDefense Labs, told

Though iDefense clients knew of the vulnerabilities before the general public, Sutton said he is not worried that the information would be leaked to the public.

"All of our clients are paying clients under contract. As part of their contractual obligations they cannot share the information outside of their borders," Sutton explained. "We've never had any issues in the past. Obviously, they also recognize that there is some sensitivity about the date."

The early iDefense notices also do not provide the information that would be needed to exploit the vulnerability.

"There are also some things that we don't share with our clients. We don't share exploit code, what we're giving them is information that they need to protect themselves," Sutton said.

In response to a question about whether iDefense customers were "more protected" than average Microsoft users, a Microsoft spokesperson told that Microsoft continues to recommend that customers apply the security updates as soon as possible after they are released.

"For most users, Microsoft provides tools such as Automatic Updates, Systems Management Server (SMS) and Windows Server Update Services (WSUS) to help ensure that the latest security updates are installed quickly, helping to secure customers against possible threats," the Microsoft spokesperson said.

According to iDefense's Sutton, there was a lot of co-ordination with Microsoft about the advisories that were issued during Microsoft's most-recent monthly patch release, April 12th.

"There is a lot of back and forth with us reporting the information to them and answering questions," Sutton said. "We always offer to help test their patches and we review each others respective advisories, so there is a lot of work going on leading up to that."

IDefense also collaborated with IDS vendor Sourcefire on three of the advisories so that Sourcefire 3D system and Snort subscribers would also be among the first to be protected from the potential threats.

"It's like peanut butter and jelly both are good by themselves however, when you combined them you have a complete solution, Matt Watchinski, director of Sourcefire's vulnerability research team, told

"iDefense provides the necessary intelligence so their customers, like Sourcefire, have ample warning of new vulnerabilities to watch out for, while Sourcefire leverages that intelligence to provide the tools to help our customers detect and prevent those attacks on customer networks - before any damage can be done."

SourceFire does not however have an ongoing relationship with iDefense, though they've collaborated periodically in the past, according to iDefense's Sutton.

"This was a scenario where we wanted to get some signatures in place so that we'd be ready to go at the time of the public release. So we collaborated with them in the days leading up to [the release], developed the signatures and agreed that we'd release them to our respective clients at the time of public disclosure."

  • 5/2: Sober-S Worm a 'Medium Threat'
  • 4/15: Sdbot-XC Worm Targets Passwords
  • Schumer Introduces No Spam Registry Bill
  • Feds Hit Alleged Spammers in Sting
  • 2/8: Wallz Worm Exploits LSAS Flaw
  • Sybari: Enterprise Messaging Security with Smarts
  • Santy-A Worm Raises Fears Over New Trend
  • 11/4: Rbot-OX Worm Has IRC Functions
  • 1/5: Rbot-SQ Worm Has Backdoor Abilities
  • IE Vulnerability Flagged
  • Virus-Powered Phishing Unleashed
  • Security Camera Price