Results 1 to 7 of 7

Thread: Successful Exploit Renders Microsoft Patch Ineffective

  1. #1
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915

    Successful Exploit Renders Microsoft Patch Ineffective

    Hey All,

    Just wanted to share that the MS09-008 patch isn't as cut and dry as it seems. There's an issue where if someone has already exploited CVE-2009-0093, the issue will not be properly patched. Yet software (patch management, automatic updates, etc) will report you as patched.

    I've posted more details on the nCircle blog. Please let me know if you have any questions.

    Tyler.

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey All,

    I heard back from MSFT and this was the intended functionality of the patch.

    There are important reasons why this path was chosen: it is not possible to tell legitimate WPAD entries from illegitimate ones that were loaded by attackers. Hence our need to accept an already "existent" entry as being valid.
    It sounds like functionality beat security here... and that sounds like an issue to me.

    In my attempts to raise awareness to this issue, I've posted another blog post -- http://blog.ncircle.com/blogs/vert/a..._security.html

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I would have thought that would be true of all patches? They potentially close the stable door after the horse has bolted.

    I also don't think that
    It sounds like functionality beat security here
    which implies that there was some sort of trade-off?

    It seems more like the method was not well thought out. I can accept that they can't tell the difference between good and bad WPAD entries, but letting users believe that the patch has been applied successfully is the real sloppiness in my book.

    Sure I can understand MS wanting to record that the patch was attempted and ran without error, otherwise updates would be forever trying to re-apply it.

    I would have thought that the simplest solution would be to send a message that that the update ran successfully but action was not taken because WPAD entries existed?

  4. #4
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Quote Originally Posted by nihil View Post
    I would have thought that would be true of all patches? They potentially close the stable door after the horse has bolted.
    The problem is they don't close the door in this case if the horse has bolted... they only close the door if the horse is already there... Meaning the other horse could bolt as well (to beat an expression to death)

    I would have thought that the simplest solution would be to send a message that that the update ran successfully but action was not taken because WPAD entries existed?
    That is one of the suggestions I've put forward... However Microsoft doesn't seem to agree.

    I did an interview earlier this evening, which may add a little more.. it can be read here -- http://redmondmag.com/news/article.a...orialsID=10684

  5. #5
    Banned
    Join Date
    Jan 2008
    Posts
    605
    I've also read page-long articles where you griped and whined about browsers crashing and not being taken seriously as denial of service flaws. None of this is going to change the fact that its never going to be a widespread issue worth worrying about.
    Last edited by The-Spec; March 13th, 2009 at 07:32 AM.

  6. #6
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Quote Originally Posted by The-Spec View Post
    I've also read page-long articles where you griped and whined about browsers crashing and not being taken seriously as denial or service flaws. None of this is going to change the fact that its never going to be a widespread issue worth worrying about.
    There's been page-long articles on my concerns over client-side DoS and DoS in general? Damn... where, all I've seen are my blog posts.

    Whether or not the issue is widespread is not the case... if you're going to take the time to patch something... patch it properly or don't bother given out a false sense of security.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Yes, this is a little more complicated.

    The problem is they don't close the door in this case
    In my simple view of things, patches have two main attributes:

    1. You run the program and get a message as to whether it was successful or not.

    2. It plugs the hole, and all you need worry about is what might have invaded your system before the patch was applied.

    The difference here seems to be (to me at least) that it doesn't plug the hole if you have already been compromised? The importance of this being that, even if you cleared out all the malware that might have been installed through exploiting the vulnerability, you are still at risk.

    In that respect it looks more like a possible mitigation than a true "patch"

    That is one of the suggestions I've put forward... However Microsoft doesn't seem to agree.
    I am afraid that I can't understand that. The situation would seem to be similar to uninstalling an application.............sometimes you get a message that tells you that uninstallation was completed but some elements could not be removed and you will have to do it manually. At least you are informed.

    Whether or not the issue is widespread is not the case... if you're going to take the time to patch something... patch it properly or don't bother given out a false sense of security.
    Given that the issue affects servers I would say that it was worth worrying about, even if it isn't widespread (yet). Individually targeted attacks are not unknown are they?

    As for the false sense of security I really couldn't agree more. Many administrators don't have the resources to analyse what a patch actually does (or doesn't), they just take it on trust that it does what it says on the label.

    In my experience, all people do is test that the patch doesn't screw their system, then roll it out

    As for the disclosure, I believe that Tyler acted in a totally responsible and professional manner. It isn't as if he produced a POC for a zero day exploit......... all he did was warn people that a supposed fix wouldn't work in all situations.

    I just can't see that as griping, whining or Microsoft bashing.
    Last edited by nihil; March 13th, 2009 at 11:50 AM.

Similar Threads

  1. August security hotfixes
    By mohaughn in forum Microsoft Security Discussions
    Replies: 1
    Last Post: August 9th, 2005, 07:37 PM
  2. Network Security made easy?
    By Tiger Shark in forum Microsoft Security Discussions
    Replies: 5
    Last Post: January 14th, 2005, 08:47 PM
  3. October MS updates
    By mohaughn in forum Microsoft Security Discussions
    Replies: 2
    Last Post: October 13th, 2004, 04:31 AM
  4. Securing Windows 2000 and IIS
    By spools.exe in forum Microsoft Security Discussions
    Replies: 0
    Last Post: September 15th, 2003, 09:47 PM
  5. Lol Now I Know Why Everyone Hates Microsoft!!!
    By NUKEM6 in forum Non-Security Archives
    Replies: 10
    Last Post: January 24th, 2002, 06:21 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •