Security

Read all 'Microsoft Server Message Block' posts in Security
November 13, 2008 1:04 PM PST

Microsoft explains seven-year patch delay

by Tom Espiner
  • 26 comments

Microsoft has offered an explanation as to why it took the company seven years to issue a patch for a known vulnerability.

The flaw, which lies in the Microsoft Server Message Block (SMB) protocol, was addressed Tuesday in Microsoft security bulletin MS08-068. The flaw could enable an SMB Relay attack, which would allow an attacker to install programs; view, change or delete data; or create new accounts with full user rights.

Christopher Budd, a security program manager in the Microsoft Security Response Center, said in a blog post Thursday that while Microsoft had been aware of the vulnerability, fixing it would have broken customer network applications.

"When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications," wrote Budd. "And, to be clear, the impact would have been to render many (or nearly all) customers' network-based applications then inoperable."

Budd explained that, while Microsoft in 2001 advised customers to use SMB signing, it knew then that the mitigation might not be a usable solution for some.

"We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but the reality was that there were similar constraints that made it unfeasible for customers to implement SMB signing," wrote Budd.

The vulnerability was first publicly documented by a security researcher known as "Sir Dystic" during the @tlanta.con convention in 2001, according to the Metasploit blog. Metasploit also included an SMB Relay module in its attack tool earlier this year.

Metasploit said in a blog post Tuesday that the SMB patch from Microsoft was only partially effective.

"The MS08-068 patch addresses this attack only in the case where the attacker connects back to the victim," wrote 'HD.' "The patch does NOT address the case where the attacker relays the connection to a third-party host that the victim has access to."

Microsoft was not able to give immediate comment at the time of writing.

Tom Espiner of ZDNet UK reported from London.

Topics:
Vulnerabilities and attacks
Tags:
Microsoft Server Message Block,
sercurity,
patch,
Microsoft
Share:
Digg
Del.icio.us
Reddit
  • prev
  • 1
  • next
advertisement

15 sites that went kaput in 2009

Web sites launch all the time, but they also shut their doors. We highlight 15 that bit the dust this year.

Top 10 news stories of the decade

Let the debate begin: Was the iPhone more important than iTunes? Was anything bigger than Google finding a great business model? CNET offers its list of the 10 most important stories of the '00s.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

Most Discussed



advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET