Microsoft, researcher spar over security patch

On Tuesday, Microsoft released a patch for a hole in Windows 2000 and Server 2003 and 2008 that could allow an attacker to redirect network traffic to a malicious site that has been set to serve as a proxy.

The vulnerability, rated important by Microsoft, allows IT managers to set a Windows Proxy Auto-Discovery, or WPAD, entry in the DNS. If IE or Firefox are configured to "automatically detect settings," the browser will connect to the proxy machine.

This is a useful feature for corporations that want to set up their own proxy server for monitoring employee Web use and for security purposes. But it also could allow for a man-in-the-middle type of attack if an outsider were able to set the WPAD entry through a dynamic DNS update so that the traffic is diverted to a malicious IP address.

The patch solves the problem for systems with no WPAD entry in the DNS, by blocking future queries for WPAD. But for systems with a WPAD entry, the patch does nothing.

IT managers who install the patch could be given a false sense of security that any compromised systems have been fixed, said Tyler Reguly, senior security research engineer at nCircle, who contacted Microsoft and wrote a blog post about his concerns the same night Microsoft released its update.

In a blog post the following day, Reguly said a Microsoft representative told him the company chose to leave existing WPAD entries untouched because it is not possible to differentiate legitimate WPAD entries from ones loaded by an attacker.

But Microsoft could at least have included a pop-up message in that instance, warning users that the DNS has a WPAD entry, and maybe even ask if they want to keep it or block it, Reguly said.

"I understand the need to preserve functionality, but not at the cost of sweeping security issues under the rug," he wrote.

In response to the concerns, Microsoft issued a more detailed technical note on the update on Friday that said the company didn't want to impair functionality and chose not to risk breaking any administrator configurations in the possibility that the WPAD was not legitimate, even if it means an attack would continue to be effective.

"This is indeed not a scenario the security update, or any security update released by Microsoft aims to address," the Microsoft note says. "Security updates are intended to help protect the system against future exploitation, and don't aim to undo any attack that has taken place in the past."

The note then provides instructions for how an administrator can validate the IP address assigned to the WPAD entry in the DNS.

In a telephone interview with CNET News late on Friday, Reguly remained disappointed with how Microsoft implemented its fix for the problem.

"They could have done things to mitigate the fact that they chose function over security," he said. "They also could have modified DNS so you couldn't do dynamic updates with WPAD."

[BtmnHatesRbn]

The world's most insecure OS. Run Spybot S&D and see who's using your Winblow$ computer for their own purposes, then go to zabasearch.com and type your name in and find out somebody using your personal info is using it without your knowledge.

[rhsc]

"Windows 2000 and Server 2003 and 2008" not xp. keep on trolling.

[Lerianis3]

Get real, BtmnHatesRbn. The fact is that NO OS is going to be totally 'secure' and Windows (past XP) is not a insecure OS in the slightest for consumers. There are ALWAYS going to be attack vectors into systems, commercial and consumer. You just deal with that and fix things as you find them in the OS's, using LAYERED security to avoid most of the problems in the first place.

[Tarq57]

Zabasearch. Nice. We don't all live in the USA, though.

[thenet411]

Tyler needs to learn to read. Any idiot who patches systems without reading the tech docs deserves to be kicked in the jewels.

[timber2005]

Any networking engineer would be checking news on why there is a out of cycle patch too.

[Mergatroid Mania]

Still, this is the same attitude that has made Windoze a security laughing stock over the years. Functionality over security. Just when will they learn?

[Lerianis3]

Excuse me, but most people want a functional OS that you can actually do stuff on... it's just me but my system is meant to be USED, not to sit there like a stump.
The real issue is the internet. People have STILL not figured out how to guarantee security while having connectivity to the internet..... and I seriously doubt that we ever will have that total guarantee.

[thenet411]

@Lerianis3
Guess what? People STILL have not figured out how to guarantee safety while driving a car. No one can "guarantee" anything. It all comes down to the individual being responsible for their own choices. New cars, highway design, and street signs all exist to help drivers be safer on the road but all of those are nothing if an idiot decides to drive 100mph in the wrong lane. The same is true for connecting devices to the Internet. AntiVirus applications, AntiSpyware applications, and firewalls can provide some security but are nothing if some idiot decides to not pay for AntiVirus or AntiSpyware apps and turn off his firewall while surfing the web for warez.

[tm_anon]

@Lerianis3

A system should be used. Mine gets used by me. Leaving a security hole like the one that wasn't fixed means that a Windows computer gets used by others more than it gets used by the actual owner.

Between having a more secure OS and having one that is easier to use (by someone else), I choose more security. At least I'll have a better shot at knowing who's been using my stuff.

[Super2online]

Sometimes the name Windows is used far to generally. Windows comes in many flavors for many different purposes. Consumers are not at risk here if they are using a consumer version. Businesses will need to determine for themselves whats more important and whats not, not hecklers on CNET News.

[3rdalbum]

On this occasion, Microsoft is correct and the security researcher is wrong.

Microsoft doesn't have any obligation to fix machines that are already infected. None of its security patches in the past have removed infections, only stopped clean computers from getting infected in the future. This is especially the case if no malicious code actually reaches the computer.

Software vendors release advisories about known security flaws and patches, and it's the IT administrator's job to read those.

And can we please stop with the "Oh, this proves that Microsoft sucks at security" crap. They do, but not as badly as many companies - and Microsoft is becoming more security-oriented. This security patch sounds like something you'd get pushed on an Ubuntu system where everyone would just update and not think anything of it. And it's not an Apple-like "Oh my god, I can't believe they couldn't see the security implications of that!" situation.

[timber2005]

Very true. When has any other OS (post-update) shown an warning message telling a (likely) knowledgable administrator to validate a setting?
(Honestly i'm asking... it might have happened before.)

[tm_anon]

@timber2005

That's because, with any other OS, the warning message would be there from the beginning.

@3rdalbum

MS wouldn't have even bothered telling the administrators about the security hole left intentionally to "ensure usability".

Proof of this is that they didn't put out the information until it was pointed out by the security researcher publicly.

As for Microsoft security, the "I'm a Mac" ads that came out did more for Windows security than any Windows code writer ever did. The internet has been around for a very long time to be just now starting to get it closer to right. At least they're starting.