Text 12643, 151 rader
Skriven 2006-08-22 20:36:20 av /m (1:379/45)
Ärende: Microsoft patch opens users to attack
=============================================
From: /m <mike@barkto.com>


http://www.securityfocus.com/news/11408

===
UPDATE: Microsoft continued to work on Tuesday to create a fix for an
exploitable flaw introduced by the company's latest security update to Internet
Explorer.

The flaw, initially thought to only crash Internet Explorer, actually allows an
attacker to run code on computers running Windows 2000 and Windows XP Service
Pack 1 that have applied the August cumulative update to Internet Explorer 6
Service Pack 1, security firm eEye Digital Security told SecurityFocus on
Tuesday. The update, released on August 8, fixed eight security holes but also
introduced a bug of its own, according to Marc Maiffret, chief hacking officer
for the security firm, which notified Microsoft last week that the issue is
exploitable.

By the following day, network administrators and users began complaining that
the update, MS06-042, caused Internet Explorer to crash when browsing some
sites. Three days later, security researchers at eEye discovered that the issue
could be used to not just crash the browser, but to compromise PCs running
Windows XP SP1 and Windows 2000. Other security researchers have also reported
the issue to Microsoft, Maiffret said.

"This information is definitely out in the underground," Maiffret said.
"Because of all the discussions on security mailing lists, they know that this
is a bug. Any half-decent researcher knows that this is an exploitable bug."

The issue likely affects millions of Windows users. Data released by Microsoft
in a report published in June broke down the types of operating systems used by
the 270 million computers scanned by the company's malicious software removal
tool. While nearly two thirds of systems were running Windows XP Service Pack
2, nearly 23 percent--or about 47 million systems--ran either Windows 2000 or
Windows XP SP1.

Microsoft had originally committed to supplying a new patch for the issue on
Tuesday, but due to an problem discovered during the final tests of the
software update, the company decided against releasing the fix. In a statement
sent to SecurityFocus after the initial story was published, Microsoft
confirmed the exploitability of the vulnerability and took eEye to task for
publicizing the ability of attackers to exploit the flaw.

"One of the researchers who originally disclosed the issue responsibly to
Microsoft has now chosen to publicly disclose the exploitability of the issue
before an update is broadly available for customers to deploy in order to
protect themselves," the company said in the statement sent to SecurityFocus.
"Microsoft continues to encourage responsible disclosure of vulnerabilities to
minimize risk to computer users."

The security slip-up casts a shadow on Microsoft's fight to convince users and
network administrators to immediately apply security patches issued by the
software giant. The latest monthly patches, released on August 8, fixed 23
flaws in common components of the Windows operating system. The flaws included
10 vulnerabilities that Microsoft deemed a critical concern. The U.S.
Department of Homeland Security even added its collective voice to those urging
users to fix their systems.

Microsoft planned to fix the problem introduced by the cumulative update on
Tuesday, but has delayed the release of its patch to the patch because it did
not pass final muster. eEye released its own advisory on Tuesday, withholding
specific details. That's more than Microsoft did, eEye's Maiffret said.

"It is reminiscent of early Microsoft security days that they would play the PR
blame game as a way to somehow shift attention from all of the mistakes they
have made surrounding the handling of this vulnerability," Maiffret said. "The
reality is that we released zero technical details to the public. The only
place where you can know exactly what the flaw location is, is from the
Microsoft advisory itself-- Another mistake to add to their list."

When and how much to disclosure about software vulnerabilities is a contentious
issue within the security community. Most recently, one researcher drew both
praise and criticism for releasing a browser bug every day for the month of
July. Other industries, such as those that build the systems used to monitor
and control manufacturing and power networks, are also starting to have a
similar debate.

In this case, more researchers were discovering that the issue could be
exploited, Maiffret said. Because attackers were likely learning of the issue
as well, he decided to publicize the fact that the flaw could be used to
compromise systems

"The cat's out of the bag," Maiffret said. "When there are multiple threads on
the patch crashing systems on multiple security mailing lists, then you know
that people are going to investigate this. And multiple researchers have
already reported this to Microsoft.

The software giant originally declined to comment on the issue, but referred
SecurityFocus to its security Weblog, posted last week, which confirmed that a
bug introduced by the cumulative update crashed Internet Explorer and pledged
to bring out a patch on Tuesday.

"Since MS06-042 resolves a number of security vulnerabilities we recommend
customers continue to deploy the update, but we do plan to revise only the
IE6SP1 update and re-release the bulletin with more information by August 22nd
for all IE6SP1 customers," Mike Reavey, operations manager for the Microsoft
Security Research Center, stated on the group's blog.

A company spokesperson originally could not confirm that the flaw also could be
used to exploit vulnerable Windows systems.

The software giant posted a more in-depth article on the problem on August 11
and has a hotfix available from its product group. Users can also turn off
support for HTTP 1.1 in Internet Explorer as a temporary workaround. Using an
alternative browser, such as Mozilla's Firefox or Opera's eponymous browser,
also eliminates any threat from the flaw.

The incident may undo a great deal of the work that Microsoft has done to
convince users to trust its software updates and install them by default.

Under its nearly five-year-old Trustworthy Computing Initiative, the company
has fought to increase the number of users that apply patches automatically. In
the past, some network administrators have waited to test, or hear the
community reaction to, Microsoft's latest patch. A year ago, the company
refused to release a fix rather than push out a software update that could
cause problems.

Introducing a security issue in its latest set of patches undermines network
administrators' confidence in Microsoft's software updates, said Johannes
Ullrich, chief technology officer for the SANS Institute's Internet Storm
Center.

"The entire danger of this particular issue is that this is an important patch
to apply, but if they cause your applications to not work, network
administrator won't deploy patches," Ullrich said.

The Internet Storm Center had a couple of dozen reports of users encountering
crashes after the August cumulative update. That's the most complaints reported
to the group following a Microsoft patch, Ullrich said. The security expert
could not confirm that the flaw in the latest patch could be used by attackers
to compromise systems.

Yet, the security expert agreed with Microsoft's advice. Patching systems with
the latest software update is still important.

"Given that there were people exploiting some of the flaws fixed by this patch,
users should apply the fix," he said. "You have to somehow put other defenses
in place to defend against other issues.

UPDATE: The article was updated Tuesday at 3 p.m. PST with Microsoft's
confirmation of the exploitability of the flaw, Microsoft comment on the
disclosure and eEye's response to that comment. Microsoft had originally been
given a chance to comment on the disclosure and declined.
===


 /m

--- BBBS/NT v4.01 Flag-5
 * Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)