Windows Update Patch Process Faulty, Expert Says
Claims flaw fools users into thinking that their systems have been patched properly
Computerworld - Microsoft Corp.'s Windows Update patch management program has a critical shortcoming that, in some cases, could fool users into thinking they have been properly patched against some vulnerabilities when in fact they have not, a security expert said last week.
The claim, made by Russ Cooper, moderator of the popular NTBugtraq mailing list and an analyst at Reston, Va.-based TruSecure Corp., was strongly refuted by Microsoft as being unfounded.
According to Cooper, the problem lies in the manner in which the Windows Update program verifies whether a system has a particular patch.
Windows Update relies only on the "registry key" information associated with each patch to determine if a system has a specific patch, Cooper said.
When a user goes to the Windows Update site, a program first scans the user's system for the registry keys to determine what patches are installed on the system.
The problem is that a system may have the registry keys associated with a particular patch, even though the patch itself may not be installed. This can happen, for instance, if a machine crashes or is turned off during the patch installation process or because of insufficient system resources to install a patch, according to Cooper.
In such cases, Windows Update is fooled into thinking the system is patched because all it's using to verify the existence of a patch is the associated registry-key information, Cooper said. It's for this reason that other patch management products look for patch-specific file information in addition to registry-key information when verifying the existence of a patch, he said.
On the Defensive
Stephen Toulouse, a security program manager at Microsoft, dismissed Cooper's claims and insisted that Windows Update has "for several months" been checking for file versions in addition to registry keys when scanning for patches.
Citing the patch for the latest Windows remote procedure call vulnerability (MS03-026), Toulouse said there have been "tens of millions of successful implementations of this patch, and we haven't heard of a situation where customers think they have installed the patch and then find out they haven't."
Toulouse added that the method Cooper used to demonstrate the problem was a highly unlikely and "artificial" scenario.
"It is entirely possible to try and make something fail," Toulouse said. "The question is, how realistic is the scenario?"
Windows Update is checking file versions for the latest patch relating to the Windows vulnerability that Blaster took advantage of, Cooper said. But the same isn't true for all patches, he claimed.
"There are many other serious security vulnerabilities that are addressed by other Microsoft patches that can be spoofed bysimply writing a registry value," according to one security expert, who requested anonymity.
As of Aug. 13, patches for at least three critical vulnerabilities announced this year could be spoofed using registry keys, according to the source.
At least one user has given up on Windows Update altogether. Vivek Kundra, director of infrastructure technologies for Arlington County, Va., last week said his department had problems using the Windows Update server technology to deploy the patches.
Although the county government began the process using Microsoft's Windows Update process, it had to abandon the approach because the patches didn't always deploy properly on the county's 3,500 workstations. As a result, it switched to Novell Inc.'s ZENworks to distribute the patches, Kundra said.
Read more about Windows in Computerworld's Windows Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Taking Windows Mobile on Any Device Taking Windows applications mobile has many advantages, but the process of identifying a solution is complex. Learn how to solve this complex problem...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Windows White Papers | Webcasts