Bug bounty program reveals 22 unpatched flaws, 5 in Office

New TippingPoint deadline kicks in to expose bugs, some more than two years old, in Microsoft, IBM, HP software

As it promised last year, on Monday the world's biggest bug bounty program released information about nearly two dozen unpatched vulnerabilities, including five in Microsoft Office, after deadlines expired.

The disclosure of 22 bugs -- some of them reported to their developers over two-and-a-half years ago -- resulted from a change announced six months ago by HP TippingPoint, whose Zero Day Initiative (ZDI) buys more bugs from independent researchers than any other program.

Last August, TippingPoint said it would enforce a six-month disclosure deadline, and would publish information about the bugs it bought if the flaws had not been patched before then. Previously, ZDI's policy was to indefinitely withhold a vulnerability after reporting it to a vendor, publishing its own advisory only after a patch had been issued.

Today, TippingPoint rolled out the first advisories for vulnerabilities whose deadlines had expired.

Nine of the 22 flaws were in IBM software, five were in Microsoft programs, four were in Hewlett-Packard code and one each affected CA, EMC, Novell and SCO.

All five of the Microsoft vulnerabilities disclosed by TippingPoint were in Office applications: Four were in Excel, with the fifth in PowerPoint, the suite's presentation manager.

Microsoft said it had intended to patch the five flaws today as part of its monthly Patch Tuesday security updates, but backed away at the last minute.

"Microsoft was aware of the five vulnerabilities disclosed by ZDI and was working to address them as part of our regular February bulletin release cycle," Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC). "However, during the process, we discovered issues that we determined would have prevented customer deployment and we chose to withdraw them for further development."

TippingPoint reported four of the five still-unpatched Microsoft vulnerabilities to the Redmond, Wash. developer more than seven months ago.

"The point of the deadline was so that vendors don't sit on vulnerabilities," said Dan Holden, the director of TippingPoint's DVLabs, echoing comments made by others at TippingPoint last August when the company slapped a deadline on disclosures. "It's like compliance for the security industry. This gives vendors a deadline to meet, to get compliant. We don't want vulnerabilities to be out there for years."

TippingPoint's decision to add a disclosure deadline followed similar moves by others last summer. In July 2010, Google reignited the debate about bug reporting with a proposal that featured, among other things, a call that researchers set a 60-day deadline. Under Google's plan, researchers would be free to take their findings public if a patch wasn't produced by the two-month deadline.

Days later, Microsoft responded by saying it wanted to change the term "responsible disclosure" to "coordinated vulnerability disclosure" to better reflect its policy and to remove the loaded word "responsible" from the discussion.

When TippingPoint announced its deadline last year, Microsoft didn't much care for it. "Only in the event of active attacks..." should bugs be revealed before a patch is ready, said Dave Forstrom, director of Microsoft's Trustworthy Computing group, last year. "And even then it should be coordinated as closely as possible."

Today, Bryant said in an e-mail reply to questions only that, "Microsoft appreciates that ZDI chose to reveal relatively little information about individual vulnerabilities, diminishing the likelihood that attackers could use the information to put customers at risk."

TippingPoint's advisories don't spell out how an unpatched bug can be triggered, but do offer general information on where the bug resides, and in many cases, provides workarounds to help protect users until a fix is released.

"We only release a general description of the vulnerability, not specifically where it is," said Aaron Portnoy, manager of TippingPoint's security research team. "And we release mitigations, some that have come from the vendors, some from the [independent] researchers [who report the flaws] and some suggested by our own team.

"We're only concerned with what actually works, not where it came from," added Portnoy, talking about the workarounds.

All five of TippingPoint's advisories for Microsoft bugs include recommendations users can take to defend their PCs until a patch is produced.

Portnoy labeled the disclosure policy change a success. "The response has been overwhelmingly positive," he said, adding that nearly 90% of the bugs reported to the bounty program since last August had been patched within their six-month deadlines.

And he called Microsoft "generally appreciative" of the new deadlines.

"Individuals [at Microsoft's security team] completely understand the reasons, and have been pretty supportive, even if the company as a whole is not happy," said Portnoy. He added that TippingPoint had seen no "push back" from any vendor about the deadlines.

TippingPoint did extend its deadlines on some vulnerabilities -- in Microsoft, Apple and Sun Microsystems software -- for a variety of reasons said Portnoy, including change of ownership, a factor that played a part in the decision for the Sun bugs.

Sun was acquired by Oracle last year. "When a new company comes in, we give them another six months," said Portnoy.

Extensions were given Microsoft in some cases because the bugs will be patched later today as part of the regularly-scheduled monthly security updates.

TippingPoint's advisories for the unpatched vulnerabilities, including Microsoft's, have been published on its site.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftHewlett-PackardMalware and Vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?