Windows Update Patch Process Faulty, Expert Says
Claims flaw fools users into thinking that their systems have been patched properly
Computerworld - Microsoft Corp.'s Windows Update patch management program has a critical shortcoming that, in some cases, could fool users into thinking they have been properly patched against some vulnerabilities when in fact they have not, a security expert said last week.
The claim, made by Russ Cooper, moderator of the popular NTBugtraq mailing list and an analyst at Reston, Va.-based TruSecure Corp., was strongly refuted by Microsoft as being unfounded.
According to Cooper, the problem lies in the manner in which the Windows Update program verifies whether a system has a particular patch.
Windows Update relies only on the "registry key" information associated with each patch to determine if a system has a specific patch, Cooper said.
When a user goes to the Windows Update site, a program first scans the user's system for the registry keys to determine what patches are installed on the system.
The problem is that a system may have the registry keys associated with a particular patch, even though the patch itself may not be installed. This can happen, for instance, if a machine crashes or is turned off during the patch installation process or because of insufficient system resources to install a patch, according to Cooper.
In such cases, Windows Update is fooled into thinking the system is patched because all it's using to verify the existence of a patch is the associated registry-key information, Cooper said. It's for this reason that other patch management products look for patch-specific file information in addition to registry-key information when verifying the existence of a patch, he said.
On the Defensive
Stephen Toulouse, a security program manager at Microsoft, dismissed Cooper's claims and insisted that Windows Update has "for several months" been checking for file versions in addition to registry keys when scanning for patches.
Citing the patch for the latest Windows remote procedure call vulnerability (MS03-026), Toulouse said there have been "tens of millions of successful implementations of this patch, and we haven't heard of a situation where customers think they have installed the patch and then find out they haven't."
Toulouse added that the method Cooper used to demonstrate the problem was a highly unlikely and "artificial" scenario.
"It is entirely possible to try and make something fail," Toulouse said. "The question is, how realistic is the scenario?"
Windows Update is checking file versions for the latest patch relating to the Windows vulnerability that Blaster took advantage of, Cooper said. But the same isn't true for all patches, he claimed.
"There are many other serious security vulnerabilities that are addressed by other Microsoft patches that can be spoofed bysimply writing a registry value," according to one security expert, who requested anonymity.
As of Aug. 13, patches for at least three critical vulnerabilities announced this year could be spoofed using registry keys, according to the source.
At least one user has given up on Windows Update altogether. Vivek Kundra, director of infrastructure technologies for Arlington County, Va., last week said his department had problems using the Windows Update server technology to deploy the patches.
Although the county government began the process using Microsoft's Windows Update process, it had to abandon the approach because the patches didn't always deploy properly on the county's 3,500 workstations. As a result, it switched to Novell Inc.'s ZENworks to distribute the patches, Kundra said.
Read more about Windows in Computerworld's Windows Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!