Patch Day Takes Down Some Big Targets, But Problems Remain

 
 
By Larry Seltzer  |  Posted 2004-07-15 Email Print this article Print
 
 
 
 
 
 
 

Windows XP SP2 is just around the corner and should make things better, but the skies aren't completely blue.

After two ho-hum months we all knew a more significant patch day was coming in July. By the time the next one comes around, Windows XP Service Pack 2 may have gone "gold," changing the landscape somewhat. But there still may be patches, even in August. I took note of the fact that none of the recent updates—neither those on the recent Patch Tuesday nor the "configuration change" a week or two earlier—showed up for Windows XP SP2 users. And none of the attack code I tested on SP2 for those vulnerabilities worked. There were some claims that the shell API update (MS04-024) didnt work, but as best I can tell, these claims have been discredited.

The two critical updates got most of the attention from analysts and the press, but I was more interested in MS04-024, which addresses a vulnerability that has been known for some time to researchers, and for which proof-of-concept attack code had long been available. On Microsofts conference call about the updates, several callers asked what I had asked: Why was MS04-024 only deemed "important" and not "critical"? The companys response was that an exploit of the shell API bug required user intervention to invoke, and that it is not "wormable." Im really not sure this is the case, but in any event, dont believe Microsoft: Treat this one as critical.

And while they called MS04-022—aka "Vulnerability in Task Scheduler Could Allow Code Execution"—"critical," Ive seen research to indicate that this vulnerability may be easier to exploit than reported. Turns out browsing a directory in Windows Explorer in effect invokes the same vulnerable DLL in order to render the proper icon for a .job file (a Task Scheduler file). In any event, "critical" is "critical"—theres no "super critical"—so its not like Microsoft underrated it.

This Task Manager bug and the IIS4 bug in MS04-021 are quite serious, and even researchers learned about them for the first time on Tuesday—at least as far as we know. There wont be any day-zero attacks on these. In fact, I think the severity of the IIS4 problem is being overstated since: a) IIS4 is a dying product and soon wont have any support at all, so only a fool would run it; and b) its not vulnerable in the default configuration.

From what I see in security scuttlebutt circles, Microsoft took out the two biggest unpatched threats out there with MS04-024 and the "configuration change" earlier in the month that set the "kill bit" on the ADODB.Stream interface. There are other threats out there, including some that can potentially execute arbitrary code, although thats not proven. The help-related bugs patched in MS04-023 were also long-known.

If Microsofts response from next month on is to say "SP2" to every threat that comes along, then they have a huge burden to get SP2 out there as widely as possible. I want to see it at my supermarket checkout, in the bag with my Sunday paper. And they better give a copy to every kid in every school. Lots of us have broadband now, but its too big to expect people to download.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog. I mentioned that none of the attacks recently patched worked on SP2, but there are other attacks out there. Most of them are targeted at the shipping versions of Windows and Internet Explorer, which is pretty reasonable from the research standpoint, but I know that theyre migrating to SP2, just like everyone should. Ive tried to test a bunch of them on SP2 and found one that appears to work. It involves inserting illegitimate commands into an onmousedown handler, and the potential for doing real damage with it is unclear.

Very few actual day-zero real-world attacks have occurred and almost all the attacks we see are in fact combinations of exploits. This is all the more embarrassing for Microsoft because it means two or more problems werent fixed in time. This sort of thing becomes possible when Microsoft takes many months to fix problems that the whole of the security community knows about. SP2 could change things, but Ill be surprised if the monthly Patch Day and all the excitement that goes with it die off.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:   More from Larry Seltzer
 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel