RSSMicrosoft Endeavors to Improve Windows Patches
By David Worthington | Published August 15, 2003, 5:18 PM
Russ Cooper, a moderator for the NTBugtraq mailing list claims to have uncovered a critical flaw in Microsoft's Windows Update patching process. The problem lies in the method WU uses to confirm installation of fixes – a brief inspection of information in the Windows registry.
According to Cooper's findings, should an installation fail, information may still be entered into the registry generating a false sense of security against present dangers like the "Blaster" worm. Microsoft disputes the research following its own internal testing.
The software giant has since attempted to reproduce Cooper's findings internally in what it called "an unlikely scenario" for users. Without altering the Windows Update detection mechanism, Microsoft claims it was unable to do so.
Microsoft's Stephen Toulouse told BetaNews that the company has confirmed "tens of millions" of successful installations of the MS03-026 patch from Windows Update. However, he strongly urges customers who feel that they have run into any problem to contact Microsoft directly so that a proper investigation may be conducted. "We are not satisfied until 100% of our customers have installed the patch to help protect their computers," said Toulouse.
BetaNews was also told that improvements to Windows Update have taken place in the past, and will continue into the future.
In a statement, Toulouse said that he and his colleagues are working closely with Microsoft Support Services to monitor all calls regarding issues like this, and are unaware of any widespread problems to date. Some outside security experts are in agreement.
"After spending a lot of the time with various members of the MS security staff, I am prepared to give the benefit of the doubt on security matters. Patching millions of machines in a short amount of time is no trivial task for the vendor or the customer," said Jeremiah Grossman of the firm WhiteHat Security.
Grossman continued, "I have read and analyzed both sides of the argument from Russ and MS, they seem to be both right in some cases. The fact of the matter is, machines are being properly patched and the Net is becoming more secure. The fact that people like Russ are questioning the methods makes for a better system the next time."
While defending the good graces of Windows Update, Microsoft is concurrently moving forward on two significant projects to bolster its capacity to protect customers. The Windows Installer Program 3.0 and Software Update Services 2.0 are currently undergoing development to incorporate lessons learned and responses solicited from customer feedback.
According to Microsoft, the Windows Installer (MSI) 3.0 Beta 1 release will be available for download and testing in early September 2003. MSI 3.0 is targeted at making servicing better. This includes authoring, creating, distributing and managing updates to applications. All of these improvements result in fewer reboots, and an attempt to avoid nightmare scenarios of file versions overwriting one another.
Release notes indicate that MSI 3.0 allows more than one patch to be installed or removed in a single installation transaction with integrated progress, rollback, and reboot behavior. Patches installed together in a single transaction can still be uninstalled individually.
If one patch in the set obsoletes, supersedes, or touches the same files as other patches in the set, MSI will take this into account. MSI 2.0 patches are fully supported, and there are no additional authoring requirements to enable this functionality.
Other improvements include: a patch sequencing table and APIs to manage the list of sources for products and patches, as well as enabling product, feature, component and patch inventory queries.
While this beta has already assembled a pool of testers, the Microsoft Software Update Services (MSUS) 2.0 Pre-release Program is accepting nominations at the BetaPlace Web site using the guest ID: MSUSCustNom.
Alongside Windows Installer, the MSUS pre-release keeps all products ranging from Windows, to Office, SQL, and Exchange up to date.
"Moving forward we believe that technologies like the new Windows Installer and future versions of Software Update Services will continue to incorporate our customers' feedback and the lessons we learned and help drive patch installation," stated Microsoft's Toulouse.
The latest MSBlaster patch requires a patch so I hear.
I see Microsoft's Steve Balmer running around his office with thousands of c***roaches running loose on the floor. He steps on one bug then another, then another, then another, then another, then another....lol.
Score: 0
|This seems to "easy" for a virus/worm writer to bypass. The majority of home (read niave) users depend on something like windows update to tell them when they need to apply a patch. So what is to prevent something like the "blaster" worm from doing two things when it tries to infect the machine, one is to start its tftp software, the other is to write a registry key so that Windows Update thinks that the machine is already patched?
While the registry might be the fastest and most convient way of checking for which patches have been applied. I think that until MS is using signed code for all the modules, and checking for the correct file versions (or greater) for patches, there is just too large a hole there to be exploited. So we can only hope that Microsoft will step up to their "marketing mantra" and really take security and system stability to heart and implement a complete and robust check on things like patches.
Score: 0
|