Windows Update Patch Process Faulty, Expert Says
Claims flaw fools users into thinking that their systems have been patched properly
Computerworld - Microsoft Corp.'s Windows Update patch management program has a critical shortcoming that, in some cases, could fool users into thinking they have been properly patched against some vulnerabilities when in fact they have not, a security expert said last week.
The claim, made by Russ Cooper, moderator of the popular NTBugtraq mailing list and an analyst at Reston, Va.-based TruSecure Corp., was strongly refuted by Microsoft as being unfounded.
According to Cooper, the problem lies in the manner in which the Windows Update program verifies whether a system has a particular patch.
Windows Update relies only on the "registry key" information associated with each patch to determine if a system has a specific patch, Cooper said.
When a user goes to the Windows Update site, a program first scans the user's system for the registry keys to determine what patches are installed on the system.
The problem is that a system may have the registry keys associated with a particular patch, even though the patch itself may not be installed. This can happen, for instance, if a machine crashes or is turned off during the patch installation process or because of insufficient system resources to install a patch, according to Cooper.
In such cases, Windows Update is fooled into thinking the system is patched because all it's using to verify the existence of a patch is the associated registry-key information, Cooper said. It's for this reason that other patch management products look for patch-specific file information in addition to registry-key information when verifying the existence of a patch, he said.
On the Defensive
Stephen Toulouse, a security program manager at Microsoft, dismissed Cooper's claims and insisted that Windows Update has "for several months" been checking for file versions in addition to registry keys when scanning for patches.
Citing the patch for the latest Windows remote procedure call vulnerability (MS03-026), Toulouse said there have been "tens of millions of successful implementations of this patch, and we haven't heard of a situation where customers think they have installed the patch and then find out they haven't."
Toulouse added that the method Cooper used to demonstrate the problem was a highly unlikely and "artificial" scenario.
"It is entirely possible to try and make something fail," Toulouse said. "The question is, how realistic is the scenario?"
Windows Update is checking file versions for the latest patch relating to the Windows vulnerability that Blaster took advantage of, Cooper said. But the same isn't true for all patches, he claimed.
"There are many other serious security vulnerabilities that are addressed by other Microsoft patches that can be spoofed bysimply writing a registry value," according to one security expert, who requested anonymity.
As of Aug. 13, patches for at least three critical vulnerabilities announced this year could be spoofed using registry keys, according to the source.
At least one user has given up on Windows Update altogether. Vivek Kundra, director of infrastructure technologies for Arlington County, Va., last week said his department had problems using the Windows Update server technology to deploy the patches.
Although the county government began the process using Microsoft's Windows Update process, it had to abandon the approach because the patches didn't always deploy properly on the county's 3,500 workstations. As a result, it switched to Novell Inc.'s ZENworks to distribute the patches, Kundra said.
Read more about Windows in Computerworld's Windows Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts