Microsoft explains seven-year patch delay
Microsoft has offered an explanation as to why it took the company seven years to issue a patch for a known vulnerability.
The flaw, which lies in the Microsoft Server Message Block (SMB) protocol, was addressed Tuesday in Microsoft security bulletin MS08-068. The flaw could enable an SMB Relay attack, which would allow an attacker to install programs; view, change or delete data; or create new accounts with full user rights.
Christopher Budd, a security program manager in the Microsoft Security Response Center, said in a blog post Thursday that while Microsoft had been aware of the vulnerability, fixing it would have broken customer network applications.
"When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications," wrote Budd. "And, to be clear, the impact would have been to render many (or nearly all) customers' network-based applications then inoperable."
Budd explained that, while Microsoft in 2001 advised customers to use SMB signing, it knew then that the mitigation might not be a usable solution for some.
"We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but the reality was that there were similar constraints that made it unfeasible for customers to implement SMB signing," wrote Budd.
The vulnerability was first publicly documented by a security researcher known as "Sir Dystic" during the @tlanta.con convention in 2001, according to the Metasploit blog. Metasploit also included an SMB Relay module in its attack tool earlier this year.
Metasploit said in a blog post Tuesday that the SMB patch from Microsoft was only partially effective.
"The MS08-068 patch addresses this attack only in the case where the attacker connects back to the victim," wrote 'HD.' "The patch does NOT address the case where the attacker relays the connection to a third-party host that the victim has access to."
Microsoft was not able to give immediate comment at the time of writing.
Tom Espiner of ZDNet UK reported from London.
Maybe I should be reading the blog, but I didn't see him mention 3rd party apps. The upshot I got from it was they would end up breaking THEIR OWN apps.
To me this still isn't much of an excuse, but I"m sure the M$ apologists will jump all over it.
Sorry, but it seems a pretty sorry excuse considering the risks.
/P
The excuse does sound fairly weak, but they could be like Apple and never say anything at all or admit there was ever an issue in the first place. Which would you rather have?
Apple has their own problems when it comes to disclosure or action on a flaw IMHO... OTOH, to their credit they've managed to prevent any virus outbreak from ever occurring on OSX, and have always acted to close any flaw out there with exploit code attached to it... so your complaints in their direction seem rather moot at best.
Also, what I point out or not point out makes no diff - Windows has too many exploitable flaws --even now-- to list them all in this space. securityfocus.com (among many others) happily do that publicly... go look there ;)
1) This is an old design flaw in CIFS when using NTLM authentication. Any implementation of the protocol, including Samba, is vulnerable.
2) This flaw is actually not generally exploitable for most systems post Windows 95. That's because Microsoft implemented a protocol change to allow for "SMB Message Signing". This change prevents "man-in-the-middle" attacks such as SMB replay attacks.
3) By default, Windows 2000 and newer systems (including XP, Vista, etc) requires SMB Message Signing so this vulnerability is not exploitable, UNLESS SMB MESSAGE SIGNING IS PURPOSEFULLY TURNED OFF.
4) Windows 95 (and OS/2) cannot use SMB Message Signing. This means these old systems cannot connect to a modern Windows network. Unfortunately some "system administrators" then disable SMB Message Signing to allow for Win95 interoperability.
5) The latest patch basically forces signing, breaking compatibility with old systems for good.
Here's a Microsoft article from 2005 which describes the problem and solutions:
http://technet.microsoft.com/en-us/library/cc512612.aspx
6) Vista and Server 2008 have additional defenses which further mitigate against this type of attack even if message signing is disabled.
7) "Untold number of machines were infected"? What kind of bogus statement is that? Outside of lab environments, there have been ZERO reports of this vulnerability actually being exploited in the wild. Again by default any Microsoft OS since Win95 is not actually exploitable.
Nice caveat. ;)
"2) This flaw is actually not generally exploitable for most systems post Windows 95."
...so the exploit code that came out for Windows 2000 - explain its presence. You're trying to hide behind generalities here. You also ignore the lingering presence of mixed environments, Windows NT 4, and etc... and those pesky "consumer network applications" that MSFT points to as their excuse.
Not that it was easily exploitable, but was exploitable nonetheless. I mentioned "untold" numbers because there is no accurate count.
The only real issue is supporting Windows 95 and OS/2. (Actually a fix is available even for Win95). But if you're still running either of those OSes, than you probably have larger security issues, and poor IT governance.
There are NO evidence that this vulnerability has actually been exploited outside of lab environments, because default settings prevent this vulnerability from being exploited (hence the assigned security rating is "important" rather than "critical").
Quote:
"When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers"
Cripes.
/P
Besides, we need these "bad guys" to find the flaws that the OS developers would rather keep hidden so the flaws can actually get fixed. With a decent OS that fix comes in weeks, but with M$ it can and sometimes does take years.
Wow really?
"When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications," wrote Budd. "And, to be clear, the impact would have been to render many (or nearly all) customers' network-based applications then inoperable."
many (or nearly all).....not an app or 2. what would your response be if ms released a patch that blew away many or nearly all network based apps? Would you be thanking MS for closing out this obscure vulnerability? somehow, i think you would be in the minority.
I have recorded a series of video tutorials and how to's on tweaking Windows Vista, XP and Ubuntu.
visit http://PCWizKidsTechTalk.com for all the rtips, tweaks and hacks
Cheers
PCWizKid
- by The_happy_switcher November 17, 2008 10:15 AM PST
- Right, because Microsoft has never broken anything else before. LOL
- Reply to this comment
-
(26 Comments)