Microsoft explains seven-year patch delay

Microsoft has offered an explanation as to why it took the company seven years to issue a patch for a known vulnerability.

The flaw, which lies in the Microsoft Server Message Block (SMB) protocol, was addressed Tuesday in Microsoft security bulletin MS08-068. The flaw could enable an SMB Relay attack, which would allow an attacker to install programs; view, change or delete data; or create new accounts with full user rights.

Christopher Budd, a security program manager in the Microsoft Security Response Center, said in a blog post Thursday that while Microsoft had been aware of the vulnerability, fixing it would have broken customer network applications.

"When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications," wrote Budd. "And, to be clear, the impact would have been to render many (or nearly all) customers' network-based applications then inoperable."

Budd explained that, while Microsoft in 2001 advised customers to use SMB signing, it knew then that the mitigation might not be a usable solution for some.

"We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but the reality was that there were similar constraints that made it unfeasible for customers to implement SMB signing," wrote Budd.

The vulnerability was first publicly documented by a security researcher known as "Sir Dystic" during the @tlanta.con convention in 2001, according to the Metasploit blog. Metasploit also included an SMB Relay module in its attack tool earlier this year.

Metasploit said in a blog post Tuesday that the SMB patch from Microsoft was only partially effective.

"The MS08-068 patch addresses this attack only in the case where the attacker connects back to the victim," wrote 'HD.' "The patch does NOT address the case where the attacker relays the connection to a third-party host that the victim has access to."

Microsoft was not able to give immediate comment at the time of writing.

Tom Espiner of ZDNet UK reported from London.

[behni]

Breaking third party apps never stopped Microsoft before!

[Dalkorian]

"When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications," wrote Budd. "And, to be clear, the impact would have been to render many (or nearly all) customers' network-based applications then inoperable."

Maybe I should be reading the blog, but I didn't see him mention 3rd party apps. The upshot I got from it was they would end up breaking THEIR OWN apps.

To me this still isn't much of an excuse, but I"m sure the M$ apologists will jump all over it.

[nachurboy]

Since Vista and Server 2008 broke a lot of software already, why wasn't it fixed for those OS' release?

[timber2005]

Your suggestion businesses needed more of a reason not to adopt Vista/Server 08? They are the ones screaming for the backwards compatability, as far back as 95/98!

[nachurboy]

If Vista/Server 08 already broke a lot of apps, breaking SMB by fixing the problems it has won't make any difference to businesses, since they'd have to upgrade their software anyway. Fixing the SMB problem before Vista/Server 08 came out would have created more of a reason for XP to get fixed since the applications that would break due to the SMB fix would also be available for XP. Just because businesses wanted backwards compatibility doesn't mean they got it with Vista.

[Penguinisto]

So, err, why was Samba not vulnerable to this the whole time? What "consumer network applications" were allegedly affected?

Sorry, but it seems a pretty sorry excuse considering the risks.

/P

[Vegaman_Dan]

It also sounds like the issue was pretty darn obscure if it hasn't caused any trouble in all this time. You didn't even know about it, Penguinisto, and you're first to point out any and all flaws.

The excuse does sound fairly weak, but they could be like Apple and never say anything at all or admit there was ever an issue in the first place. Which would you rather have?

[Penguinisto]

Hey Dan? Exploit code had been floating out there for seven years. Untold numbers of machines were infected at local hot-spots, lan-parties, and various other places...

Apple has their own problems when it comes to disclosure or action on a flaw IMHO... OTOH, to their credit they've managed to prevent any virus outbreak from ever occurring on OSX, and have always acted to close any flaw out there with exploit code attached to it... so your complaints in their direction seem rather moot at best.

Also, what I point out or not point out makes no diff - Windows has too many exploitable flaws --even now-- to list them all in this space. securityfocus.com (among many others) happily do that publicly... go look there ;)

[alegr]

Are you sure it's not vulnerable? Have you checked Samba codes and changelogs?

[mbenedict]

Please, stop talking about things you have no knowledge about.

1) This is an old design flaw in CIFS when using NTLM authentication. Any implementation of the protocol, including Samba, is vulnerable.
2) This flaw is actually not generally exploitable for most systems post Windows 95. That's because Microsoft implemented a protocol change to allow for "SMB Message Signing". This change prevents "man-in-the-middle" attacks such as SMB replay attacks.
3) By default, Windows 2000 and newer systems (including XP, Vista, etc) requires SMB Message Signing so this vulnerability is not exploitable, UNLESS SMB MESSAGE SIGNING IS PURPOSEFULLY TURNED OFF.
4) Windows 95 (and OS/2) cannot use SMB Message Signing. This means these old systems cannot connect to a modern Windows network. Unfortunately some "system administrators" then disable SMB Message Signing to allow for Win95 interoperability.
5) The latest patch basically forces signing, breaking compatibility with old systems for good.

Here's a Microsoft article from 2005 which describes the problem and solutions:

http://technet.microsoft.com/en-us/library/cc512612.aspx
6) Vista and Server 2008 have additional defenses which further mitigate against this type of attack even if message signing is disabled.
7) "Untold number of machines were infected"? What kind of bogus statement is that? Outside of lab environments, there have been ZERO reports of this vulnerability actually being exploited in the wild. Again by default any Microsoft OS since Win95 is not actually exploitable.

[Penguinisto]

"1) This is an old design flaw in CIFS when using NTLM authentication."

Nice caveat. ;)

"2) This flaw is actually not generally exploitable for most systems post Windows 95."

...so the exploit code that came out for Windows 2000 - explain its presence. You're trying to hide behind generalities here. You also ignore the lingering presence of mixed environments, Windows NT 4, and etc... and those pesky "consumer network applications" that MSFT points to as their excuse.

Not that it was easily exploitable, but was exploitable nonetheless. I mentioned "untold" numbers because there is no accurate count.

[mbenedict]

I already said it. The exploit code will NOT work on Windows 2000 unless SMB Message Signing is disabled. Same with NT 4 with Service Pack 3 or later.

The only real issue is supporting Windows 95 and OS/2. (Actually a fix is available even for Win95). But if you're still running either of those OSes, than you probably have larger security issues, and poor IT governance.

[n3td3v]

Why did you need to mention HD Moore's name or his projects? Damn.

[wolivere]

One question, how often has this been exploited?

[n3td3v]

Lot's more times than it would of because of Metasploit project that I wish the government would get to grips with and stop pretending its some lawful program for security professionals. Its an evil tool used by script kids primarily, and somethings got to be done about it.

[Vegaman_Dan]

Apparently not enough to actually have anyone even notice it. Pretty darn obscure if you ask me.

[Penguinisto]

...because no one ever uses Metaspoit, right Dan?

[mbenedict]

@wolivere:

There are NO evidence that this vulnerability has actually been exploited outside of lab environments, because default settings prevent this vulnerability from being exploited (hence the assigned security rating is "important" rather than "critical").

Quote:

"When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?

No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers"

[Penguinisto]

...has no one defending this ever heard of combining attack vectors?

Cripes.

/P

[gsmiller88]

Like I said, it just took them THAT long to fix it :-P

[ferretboy88]

If we just find all the bad guy computer hackers and take them out then we should take care of all the problems with computer security.

[Dalkorian]

How completely ignorant of you. Contrary to popular belief, it wouldn't solve all the security problems if we just "took out" all the "bad guy computer hackers", because *nix OS's have vulnerabilities too so it's not just winblows developers.

Besides, we need these "bad guys" to find the flaws that the OS developers would rather keep hidden so the flaws can actually get fixed. With a decent OS that fix comes in weeks, but with M$ it can and sometimes does take years.

[ittesi259]

Wow I read this as "We left everyone vulnerable because it might hurt an app or 2....so we left ALL of our customers open to a vulnerability"

Wow really?

[gp2792]

You read it that way? Wow really? Try again:

"When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications," wrote Budd. "And, to be clear, the impact would have been to render many (or nearly all) customers' network-based applications then inoperable."

many (or nearly all).....not an app or 2. what would your response be if ms released a patch that blew away many or nearly all network based apps? Would you be thanking MS for closing out this obscure vulnerability? somehow, i think you would be in the minority.

[PCWizKid]

Patched or not, you still need to tweak Windows for best performance.

I have recorded a series of video tutorials and how to's on tweaking Windows Vista, XP and Ubuntu.

visit http://PCWizKidsTechTalk.com for all the rtips, tweaks and hacks

Cheers
PCWizKid

[The_happy_switcher]

Right, because Microsoft has never broken anything else before. LOL