By Thomas Kristensen
On Tuesday 14th September, Microsoft released 9 security bulletins to address various vulnerabilities in their products. One of these bulletins, MS10-063, discussed a vulnerability in the Uniscribe Unicode Scripts Processor component, usp10.dll, which is a collection of APIs enabling formatting of complex scripts. The accompanying Exploitability Index rating was set to 2, meaning that it was likely to see only inconsistent exploit code within the next 30 days.
Whenever Microsoft and other major vendors issue patches, reverse engineers in the Secunia Research team is tasked with analysing the patches to determine details about the fixed vulnerability (e.g. core problem, attack vectors, requirements), assess the likelihood of reliable exploitation, determine workarounds, and conclude if the patch properly fixes the vulnerability.
During analysis of MS10-063 is was discovered that Microsoft had fixed two very similar array-indexing vulnerabilities in different functions. Upon further analysis, it was concluded that at least one of the fixed vulnerabilities could be exploited in a reliable manner and not an unreliable (inconsistent) manner as evaluated by Microsoft.
On Friday 17th September, Secunia Research contacted Microsoft and provided full details on the performed analysis to work with the vendor on raising the exploitability index rating to 1 (consistent exploit code likely) in order to ensure that customers would properly prioritise the update.
On Tuesday 21st September, Secunia updated the Secunia advisory covering MS10-063, SA41396, with full details of the vulnerability and likelihood of exploitation in the "Extended Description" section available to customers on Secunia's EVM, VIF, and BA solutions. Later that day, Secunia also updated the public "Description" section of the advisory with additional details.
On Wednesday 22nd September at 2pm PST, Microsoft updated the exploitability index rating from 2 to 1 for MS10-063 in the "Microsoft Security Bulletin Summary for September 2010", acknowledging Secunia's assistence ("Microsoft thanks the following for working with us to help protect customers: Carsten H. Eiram of Secunia for reporting information that led to an Exploitability Index change for CVE-2010-2738 in MS10-063").
This is just one of many examples of the high level of competencies in the Secunia Research team and the amount of work and in-depth analysis that goes into ensuring that Secunia can offer the most trustworthy and reliable Vulnerability Intelligence of the highest quality.