-
March 11th, 2009, 08:06 AM
#1
Successful Exploit Renders Microsoft Patch Ineffective
Hey All,
Just wanted to share that the MS09-008 patch isn't as cut and dry as it seems. There's an issue where if someone has already exploited CVE-2009-0093, the issue will not be properly patched. Yet software (patch management, automatic updates, etc) will report you as patched.
I've posted more details on the nCircle blog. Please let me know if you have any questions.
Tyler.
-
March 12th, 2009, 04:30 PM
#2
Hey All,
I heard back from MSFT and this was the intended functionality of the patch.
There are important reasons why this path was chosen: it is not possible to tell legitimate WPAD entries from illegitimate ones that were loaded by attackers. Hence our need to accept an already "existent" entry as being valid.
It sounds like functionality beat security here... and that sounds like an issue to me.
In my attempts to raise awareness to this issue, I've posted another blog post -- http://blog.ncircle.com/blogs/vert/a..._security.html
-
March 13th, 2009, 04:29 AM
#3
I would have thought that would be true of all patches? They potentially close the stable door after the horse has bolted.
I also don't think that
It sounds like functionality beat security here
which implies that there was some sort of trade-off?
It seems more like the method was not well thought out. I can accept that they can't tell the difference between good and bad WPAD entries, but letting users believe that the patch has been applied successfully is the real sloppiness in my book.
Sure I can understand MS wanting to record that the patch was attempted and ran without error, otherwise updates would be forever trying to re-apply it.
I would have thought that the simplest solution would be to send a message that that the update ran successfully but action was not taken because WPAD entries existed?
-
March 13th, 2009, 05:09 AM
#4
Originally Posted by nihil
I would have thought that would be true of all patches? They potentially close the stable door after the horse has bolted.
The problem is they don't close the door in this case if the horse has bolted... they only close the door if the horse is already there... Meaning the other horse could bolt as well (to beat an expression to death)
I would have thought that the simplest solution would be to send a message that that the update ran successfully but action was not taken because WPAD entries existed?
That is one of the suggestions I've put forward... However Microsoft doesn't seem to agree.
I did an interview earlier this evening, which may add a little more.. it can be read here -- http://redmondmag.com/news/article.a...orialsID=10684
-
March 13th, 2009, 05:38 AM
#5
I've also read page-long articles where you griped and whined about browsers crashing and not being taken seriously as denial of service flaws. None of this is going to change the fact that its never going to be a widespread issue worth worrying about.
Last edited by The-Spec; March 13th, 2009 at 07:32 AM.
-
March 13th, 2009, 06:25 AM
#6
Originally Posted by The-Spec
I've also read page-long articles where you griped and whined about browsers crashing and not being taken seriously as denial or service flaws. None of this is going to change the fact that its never going to be a widespread issue worth worrying about.
There's been page-long articles on my concerns over client-side DoS and DoS in general? Damn... where, all I've seen are my blog posts.
Whether or not the issue is widespread is not the case... if you're going to take the time to patch something... patch it properly or don't bother given out a false sense of security.
-
March 13th, 2009, 11:41 AM
#7
Yes, this is a little more complicated.
The problem is they don't close the door in this case
In my simple view of things, patches have two main attributes:
1. You run the program and get a message as to whether it was successful or not.
2. It plugs the hole, and all you need worry about is what might have invaded your system before the patch was applied.
The difference here seems to be (to me at least) that it doesn't plug the hole if you have already been compromised? The importance of this being that, even if you cleared out all the malware that might have been installed through exploiting the vulnerability, you are still at risk.
In that respect it looks more like a possible mitigation than a true "patch"
That is one of the suggestions I've put forward... However Microsoft doesn't seem to agree.
I am afraid that I can't understand that. The situation would seem to be similar to uninstalling an application.............sometimes you get a message that tells you that uninstallation was completed but some elements could not be removed and you will have to do it manually. At least you are informed.
Whether or not the issue is widespread is not the case... if you're going to take the time to patch something... patch it properly or don't bother given out a false sense of security.
Given that the issue affects servers I would say that it was worth worrying about, even if it isn't widespread (yet). Individually targeted attacks are not unknown are they?
As for the false sense of security I really couldn't agree more. Many administrators don't have the resources to analyse what a patch actually does (or doesn't), they just take it on trust that it does what it says on the label.
In my experience, all people do is test that the patch doesn't screw their system, then roll it out
As for the disclosure, I believe that Tyler acted in a totally responsible and professional manner. It isn't as if he produced a POC for a zero day exploit......... all he did was warn people that a supposed fix wouldn't work in all situations.
I just can't see that as griping, whining or Microsoft bashing.
Last edited by nihil; March 13th, 2009 at 11:50 AM.
Similar Threads
-
By mohaughn in forum Microsoft Security Discussions
Replies: 1
Last Post: August 9th, 2005, 07:37 PM
-
By Tiger Shark in forum Microsoft Security Discussions
Replies: 5
Last Post: January 14th, 2005, 08:47 PM
-
By mohaughn in forum Microsoft Security Discussions
Replies: 2
Last Post: October 13th, 2004, 04:31 AM
-
By spools.exe in forum Microsoft Security Discussions
Replies: 0
Last Post: September 15th, 2003, 09:47 PM
-
By NUKEM6 in forum Non-Security Archives
Replies: 10
Last Post: January 24th, 2002, 06:21 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|