August 18, 2003 (Computerworld) -- Microsoft Corp.'s Windows Update patch management program has a critical shortcoming that, in some cases, could fool users into thinking they have been properly patched against some vulnerabilities when in fact they have not, a security expert said last week.
The claim, made by Russ Cooper, moderator of the popular NTBugtraq mailing list and an analyst at Reston, Va.-based TruSecure Corp., was strongly refuted by Microsoft as being unfounded.
According to Cooper, the problem lies in the manner in which the Windows Update program verifies whether a system has a particular patch.
Windows Update relies only on the "registry key" information associated with each patch to determine if a system has a specific patch, Cooper said.
When a user goes to the Windows Update site, a program first scans the user's system for the registry keys to determine what patches are installed on the system.
The problem is that a system may have the registry keys associated with a particular patch, even though the patch itself may not be installed. This can happen, for instance, if a machine crashes or is turned off during the patch installation process or because of insufficient system resources to install a patch, according to Cooper.
In such cases, Windows Update is fooled into thinking the system is patched because all it's using to verify the existence of a patch is the associated registry-key information, Cooper said. It's for this reason that other patch management products look for patch-specific file information in addition to registry-key information when verifying the existence of a patch, he said.
On the Defensive
Stephen Toulouse, a security program manager at Microsoft, dismissed Cooper's claims and insisted that Windows Update has "for several months" been checking for file versions in addition to registry keys when scanning for patches.
Citing the patch for the latest Windows remote procedure call vulnerability (MS03-026), Toulouse said there have been "tens of millions of successful implementations of this patch, and we haven't heard of a situation where customers think they have installed the patch and then find out they haven't."
Toulouse added that the method Cooper used to demonstrate the problem was a highly unlikely and "artificial" scenario.
"It is entirely possible to try and make something fail," Toulouse said. "The question is, how realistic is the scenario?"
Windows Update is checking file versions for the latest patch relating to the Windows vulnerability that Blaster took advantage of, Cooper said. But the same isn't true for all patches, he claimed.
"There are many other serious security vulnerabilities that are addressed by other Microsoft patches that can be spoofed by simply writing a registry value," according to one security expert, who requested anonymity.
As of Aug. 13, patches for at least three critical vulnerabilities announced this year could be spoofed using registry keys, according to the source.
At least one user has given up on Windows Update altogether. Vivek Kundra, director of infrastructure technologies for Arlington County, Va., last week said his department had problems using the Windows Update server technology to deploy the patches.
Although the county government began the process using Microsoft's Windows Update process, it had to abandon the approach because the patches didn't always deploy properly on the county's 3,500 workstations. As a result, it switched to Novell Inc.'s ZENworks to distribute the patches, Kundra said.
"When I recently explained one of the many reasons why I prefer desktop Linux to Windows, even over my favorite..."
Read more...
"Dear me. Just because I recently talked about Windows XP SP3's virtues and vices, some people seem to think I've..."
Read more... Read more Windows posts or See all Blogs
Specialists have retrieved about 99% of the data on a disk drive on board the crashed space shuttle Columbia. Don't miss the photographs of the recovered drive.
Nearly 20 years after the first Internet worm, Steven J. Vaughan-Nichols takes stock of the malware/anti-malware landscape and spotlights how the two sides are approaching the battle.
Download this Computerworld report, free for a limited time, compliments of HP. (Source: Computerworld) Faced with growing demands, immature tools and a confusing array of technologies, IT decision-makers have to make some strategic choices. Learn how to avoid the pitfalls in this Computerworld report, a $49.95 value, available free for a limited time, compliments of HP.
Download this executive briefing
Long Tail Supplier Collaboration - What's In It For You?
Long Tail Supplier Collaboration - What's In It For You?
Download this webcast, free, compliments of Sterling Commerce
Go to the webcast
Transformational Analytics: Virtualizing IT Environments
Download this white paper, free, compliments of CiRBA. (Source: CiRBA) The overwhelming complexity of the modern data center compounds the problem of how to safely virtualize IT environments. This paper provides an in-depth guide to analyzing complex environments for virtualization opportunities, particularly within production environments where stability, service levels and performance are of the upmost performance.
Download this white paper
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Grid Computing on Windows Zone
For years, when you needed more computing capacity, you bought more expensive computers. Now, with the Oracle Grid on Windows, add capacity on demand with one inexpensive PC server at a time for superior scalability and fast ROI. The Oracle Grid also provides maximum availability, reducing your cost of downtime. If a server fails, the mainframe stops while the Oracle Grid just keeps running. The Oracle Grid. Runs faster. Costs less. Never breaks. Available on Windows. Learn more in the Grid Computing on Windows ZoneSee All Zones
Are time constraints pressuring your development, QA, and support resources to cut corners on software quality? If so, your company's not alone. According to a commissioned study conducted by Forrester Consulting on behalf of BMC Software, "...problem resolution is a major time-sink for developers and a drain on the efficiency of application development and support."