Windows Update flaw 'left PCs open' to MSBlast

[Bunjiweb]

From: http://news.zdnet.co.uk/0,39020330,39115732,00.htm

Munir Kotadia
ZDNet UK
August 15, 2003, 14:40 BST


A flaw in Windows Update caused some organisations - including the US Army - to wrongly believe they were protected from MSBlast, according to a researcher

A flaw in Windows Update -- Microsoft's online tool that lets customers update their operating system with patches and fixes -- enabled the MSBlast worm to infect computers that apeared to have already been patched, according to a security expert.


The flaw led to a US Army server, among others, falling victim to MSBlast, according to Russ Cooper, chief scientist at security company TruSecure.


Windows Update works by adding an entry into the system registry every time it installs a patch. When users log on to the update tool, it scans their registry and offers them list of patches that have not yet been installed. Cooper said that this mechanism was found to be flawed.


"We found that people had got the registry key for the patch, but not the file," he said, explaining that the error could be triggered by a number of reasons -- from an incomplete installation to a lack of system resources.


"If you go to Microsoft's site and say, 'tell me if I am up to date', and it says 'you are up to date', but you are not, what are you supposed to do?" he said.


In order to fix the problem, Windows Update should be looking for the actual fix rather than just a registry entry, Cooper argued. This feature is already included in the tool, but is not "fully enabled", Cooper said.


He recommends that users should run the Microsoft Baseline Security Analyzer (MBSA) as an alternative to Windows Update for checking to see if patches have been correctly installed. MBSA is also designed to look for security problems in the Windows registry and can be downloaded free from Microsoft's Web site.


Microsoft did not respond to requests for comment on the Windows Update issue.


Patching has been a thorn in Microsoft's side, with companies complaining that it takes far too long to implement patches because of the compatibility testing that is necessary before deploying them to thousands of servers and desktops. Additionally, the sheer volume of patches being generated by Microsoft means that companies are finding it difficult to keep up.


Stuart Okin, chief security officer at Microsoft UK, admitted that Microsoft customers spend too much time fixing their systems: "Our customers don't necessarily have the programmes, processes and environments in place to deal with dynamic changes," he said. He admitted that companies have had problems deploying the patch to thousands of workstations or servers "within the space of four weeks" -- approximately the time between when the vulnerability was discovered and the worm was released.


Last year, Microsoft launched its Trustworthy Computing Initiative, which included retraining its programmers to ensure their code was written with security in mind and involved an overhaul of its entire patching system.


Okin said that within two years, Microsoft will have made significant changes to its Windows Update service. The company is planning on introducing a single update source -- probably called Microsoft Update -- which will be capable of updating all of the Microsoft products installed on a computer.


--------------------------------------------------------------------

You can download the Microsoft Baseline Security Analyzer from here

http://www.microsoft.com/technet/tre...s/mbsahome.asp

I ran it and it found one critical patch was missing and three which were mis-configured in some way. Windowsupdate.com found no problems!!

Unfortunately its not automated. After the scan you have to click 'result details' next to any problems shown in the report and then install each patch individually.


Ben

[Agent]

Just read this before i saw this post - very worrying !

[THCi]

Again, shows that M$ think ahead (or for different possibilitys (look for patch instead of reg entry)) and then dont utilize what they thought of.

Things like this could bring the Computing industry to its knees!

[joshwa]

good post
the ms thing you linked to is good

[Big RICHARD]

Originally posted by Bunjiweb
Last year, Microsoft launched its Trustworthy Computing Initiative, which included retraining its programmers to ensure their code was written with security in mind and involved an overhaul of its entire patching system.

So for all these years Microsoft haven't given a **** about our security and all Windows operating systems were just written willy nilly?

FIGURES!

BILL, you can go and shove your monopoly up your bloody arse!

[Stoo]

It's been said before, and I'll say it again, the only thing Microsoft really care about it making their profits over everything else..

Oh and I've read on some of the other sites where people who have worked for M$ in the past have posted, and the way Windows is programmed is a complete joke, there's very little planning involved and even less communication between the departments and even on the same teams...

[Butuz]

As do most companies.

Butuz

[Big RICHARD]

Originally posted by Butuz
As do most companies.

Butuz

But most companies realise that when they get competition (as Microsoft inevitably one day will) people remember how you sold them **** and didn't support that **** properly. Customer care matters.

[Stoo]

If a company is selling a product, then that product should be the main focus, making it profitable would be the second (and obviously important) focus.

It seems to me that most places have forgotten why they are in business in the first place - To provide a service or product to people/other businesses.

Companies that only care about profit at the expense of the product they are selling will eventually fail - if the company doesn't give a toss about the product, then why should the customers?

[Butuz]

Customer care only matters if the customer is at risk of going somewhere else for business, in microsofts case Windows is the best O/s, their server o/s is the best (perhaps), their office package is the best their web browser is the most dominant, their media player is the most wideley used, their instant message program has been bundled with every pc for the last 2 years.

Why should they care what you think? They don't need to, your not going anywhere else, your still moaning even though your sitting in front of a MS box using IE in between working on some docs in word 2000 (wild generalisation before you bite my head off and tell me your using opera or some such).

Wake up to the real world, if there is no competition for a product the monopoliser is under no obligation to fully satisfy all its customers. Thats where MS is at at the moment and thats how theyre playing it.

They may have to change at some stage, and actually listen to customer feedback about security, bugs, licencing. These are the things we hate about MS products but we still buy them in their millions.

I get so bored of anti MS moaners. Just live with it, or install linux and suffer in silence. *shrug*

(sorry for being a bit blunt, but better to be blunt than beat around the bush eh? )

Butuz

[Big RICHARD]

Originally posted by Butuz
Customer care only matters if the customer is at risk of going somewhere else for business, in microsofts case Windows is the best O/s, their server o/s is the best (perhaps), their office package is the best their web browser is the most dominant, their media player is the most wideley used, their instant message program has been bundled with every pc for the last 2 years.

Why should they care what you think? They don't need to, your not going anywhere else, your still moaning even though your sitting in front of a MS box using IE in between working on some docs in word 2000 (wild generalisation before you bite my head off and tell me your using opera or some such).

Wake up to the real world, if there is no competition for a product the monopoliser is under no obligation to fully satisfy all its customers. Thats where MS is at at the moment and thats how theyre playing it.

They may have to change at some stage, and actually listen to customer feedback about security, bugs, licencing. These are the things we hate about MS products but we still buy them in their millions.

I get so bored of anti MS moaners. Just live with it, or install linux and suffer in silence. *shrug*

(sorry for being a bit blunt, but better to be blunt than beat around the bush eh? )

Butuz

I'm not actually anti Microsoft really. It does annoy me that MS do what they do, but agreed they do it cos they can. I think most people would too......