Windows Update Patch Process Faulty, Expert Says

Jaikumar Vijayan   Today’s Top Stories    or  Other Windows Stories  

Factors to Consider When Building a Windows Vista® Deployment Plan Bringing Order and Security to your Mobile Workforce: Corporate Mobility Policy and Device Management Virtualization: HP's approach to solving customers needs Outlasting the Competition: Why High Availability is Critical to Midsize Businesses Certify your Software Integrity with thawte Code Signing Certificates Extended Validation SSL Certificates Fixing Security Blind Spots Computerworld Technology Briefing: Meetings @ the Speed of Business Computerworld Report: Virtual Reality Sign up to receive Security Resource Alerts

August 18, 2003 (Computerworld) -- Microsoft Corp.'s Windows Update patch management program has a critical shortcoming that, in some cases, could fool users into thinking they have been properly patched against some vulnerabilities when in fact they have not, a security expert said last week.
The claim, made by Russ Cooper, moderator of the popular NTBugtraq mailing list and an analyst at Reston, Va.-based TruSecure Corp., was strongly refuted by Microsoft as being unfounded.
According to Cooper, the problem lies in the manner in which the Windows Update program verifies whether a system has a particular patch.
Windows Update relies only on the "registry key" information associated with each patch to determine if a system has a specific patch, Cooper said.
When a user goes to the Windows Update site, a program first scans the user's system for the registry keys to determine what patches are installed on the system.
The problem is that a system may have the registry keys associated with a particular patch, even though the patch itself may not be installed. This can happen, for instance, if a machine crashes or is turned off during the patch installation process or because of insufficient system resources to install a patch, according to Cooper.
In such cases, Windows Update is fooled into thinking the system is patched because all it's using to verify the existence of a patch is the associated registry-key information, Cooper said. It's for this reason that other patch management products look for patch-specific file information in addition to registry-key information when verifying the existence of a patch, he said.
On the Defensive
Stephen Toulouse, a security program manager at Microsoft, dismissed Cooper's claims and insisted that Windows Update has "for several months" been checking for file versions in addition to registry keys when scanning for patches.
Citing the patch for the latest Windows remote procedure call vulnerability (MS03-026), Toulouse said there have been "tens of millions of successful implementations of this patch, and we haven't heard of a situation where customers think they have installed the patch and then find out they haven't."
Toulouse added that the method Cooper used to demonstrate the problem was a highly unlikely and "artificial" scenario.
"It is entirely possible to try and make something fail," Toulouse said. "The question is, how realistic is the scenario?"
Windows Update is checking file versions for the latest patch relating to the Windows vulnerability that Blaster took advantage of, Cooper said. But the same isn't true for all patches, he claimed.
"There are many other serious security vulnerabilities that are addressed by other Microsoft patches that can be spoofed by simply writing a registry value," according to one security expert, who requested anonymity.
As of Aug. 13, patches for at least three critical vulnerabilities announced this year could be spoofed using registry keys, according to the source.
At least one user has given up on Windows Update altogether. Vivek Kundra, director of infrastructure technologies for Arlington County, Va., last week said his department had problems using the Windows Update server technology to deploy the patches.
Although the county government began the process using Microsoft's Windows Update process, it had to abandon the approach because the patches didn't always deploy properly on the county's 3,500 workstations. As a result, it switched to Novell Inc.'s ZENworks to distribute the patches, Kundra said.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"When I recently explained one of the many reasons why I prefer desktop Linux to Windows, even over my favorite..." Read more... "Dear me. Just because I recently talked about Windows XP SP3's virtues and vices, some people seem to think I've..." Read more... Read more Windows posts or See all Blogs

Mozilla launches Firefox 3.0 RC1 early Microsoft: Don't misunderstand UAC, other Vista features HP confirms XP SP3 endless reboot snafu, promises patch More top stories...

Microsoft pulls Windows Home Server backup feature Yahoo tells Icahn that its own board knows best Tools circulate that crack Debian, Ubuntu keys

Shuttle Columbia's hard drive data recovered from crash site Specialists have retrieved about 99% of the data on a disk drive on board the crashed space shuttle Columbia. Don't miss the photographs of the recovered drive. The top 15 vaporware products of all time These big ideas were supposed to revolutionize technology, but they never actually appeared. In a few cases, you'll be glad they didn't. Opinion: Malware vs. anti-malware, 20 years into the fray Nearly 20 years after the first Internet worm, Steven J. Vaughan-Nichols takes stock of the malware/anti-malware landscape and spotlights how the two sides are approaching the battle. Leopard at six months: Does it live up to the early hype? Though some thought it was released too soon, Mac OS X 10.5 has matured into a solid operating system, says reviewer Michael DeAgonia. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 2 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Enterprise-Class Security Zone Enterprise Solutions Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone The Data Center Management Zone See your link here

Computerworld Report : Smart Storage Download this Computerworld report, free for a limited time, compliments of HP. (Source: Computerworld) Faced with growing demands, immature tools and a confusing array of technologies, IT decision-makers have to make some strategic choices. Learn how to avoid the pitfalls in this Computerworld report, a $49.95 value, available free for a limited time, compliments of HP. Download this executive briefing  Long Tail Supplier Collaboration - What's In It For You? Long Tail Supplier Collaboration - What's In It For You? Download this webcast, free, compliments of Sterling Commerce Go to the webcast  Transformational Analytics: Virtualizing IT Environments Download this white paper, free, compliments of CiRBA. (Source: CiRBA) The overwhelming complexity of the modern data center compounds the problem of how to safely virtualize IT environments. This paper provides an in-depth guide to analyzing complex environments for virtualization opportunities, particularly within production environments where stability, service levels and performance are of the upmost performance. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Securing Financial Services Beyond the Perimeter Intercept Spam & Viruses With MessageLabs Meeting PCI Compliance with SonicWALL Global Management System View more whitepapers

• Mozilla launches Firefox 3.0 RC1 early
• Microsoft: Don't misunderstand UAC, other Vista features
• HP confirms XP SP3 endless reboot snafu, promises patch
• More top stories 

Grid Computing on Windows Zone For years, when you needed more computing capacity, you bought more expensive computers. Now, with the Oracle Grid on Windows, add capacity on demand with one inexpensive PC server at a time for superior scalability and fast ROI. The Oracle Grid also provides maximum availability, reducing your cost of downtime. If a server fails, the mainframe stops while the Oracle Grid just keeps running. The Oracle Grid. Runs faster. Costs less. Never breaks. Available on Windows. Learn more in the Grid Computing on Windows Zone See All Zones



Eliminate Hidden Processes that Sap Up to 40% of Developers' Time Are time constraints pressuring your development, QA, and support resources to cut corners on software quality? If so, your company's not alone. According to a commissioned study conducted by Forrester Consulting on behalf of BMC Software, "...problem resolution is a major time-sink for developers and a drain on the efficiency of application development and support." Watch this webcast now!  See more Webcasts