|
|
|
Patch Day Takes Down Some Big Targets, But Problems Remain
By: Larry Seltzer
2004-07-15
Article Rating: / 0
There are 0 user comments on this Network Security & Hardware story.
Windows XP SP2 is just around the corner and should make things better, but the skies aren't completely blue.After two ho-hum months we all knew a more significant patch day was coming in July. By the time the next one comes around, Windows XP Service Pack 2 may have gone "gold," changing the landscape somewhat. But there still may be patches, even in August.
I took note of the fact that none of the recent updates—neither those on the recent Patch Tuesday nor the "configuration change" a week or two earlier—showed up for Windows XP SP2 users. And none of the attack code I tested on SP2 for those vulnerabilities worked. There were some claims that the shell API update (MS04-024) didnt work, but as best I can tell, these claims have been discredited.
The two critical updates got most of the attention from analysts and the press, but I was more interested in MS04-024, which addresses a vulnerability that has been known for some time to researchers, and for which proof-of-concept attack code had long been available. On Microsofts conference call about the updates, several callers asked what I had asked: Why was MS04-024 only deemed "important" and not "critical"? The companys response was that an exploit of the shell API bug required user intervention to invoke, and that it is not "wormable." Im really not sure this is the case, but in any event, dont believe Microsoft: Treat this one as critical.
And while they called MS04-022—aka "Vulnerability in Task Scheduler Could Allow Code Execution"—"critical," Ive seen research to indicate that this vulnerability may be easier to exploit than reported. Turns out browsing a directory in Windows Explorer in effect invokes the same vulnerable DLL in order to render the proper icon for a .job file (a Task Scheduler file). In any event, "critical" is "critical"—theres no "super critical"—so its not like Microsoft underrated it.
This Task Manager bug and the IIS4 bug in MS04-021 are quite serious, and even researchers learned about them for the first time on Tuesday—at least as far as we know. There wont be any day-zero attacks on these. In fact, I think the severity of the IIS4 problem is being overstated since: a) IIS4 is a dying product and soon wont have any support at all, so only a fool would run it; and b) its not vulnerable in the default configuration.
From what I see in security scuttlebutt circles, Microsoft took out the two biggest unpatched threats out there with MS04-024 and the "configuration change" earlier in the month that set the "kill bit" on the ADODB.Stream interface. There are other threats out there, including some that can potentially execute arbitrary code, although thats not proven. The help-related bugs patched in MS04-023 were also long-known.
If Microsofts response from next month on is to say "SP2" to every threat that comes along, then they have a huge burden to get SP2 out there as widely as possible. I want to see it at my supermarket checkout, in the bag with my Sunday paper. And they better give a copy to every kid in every school. Lots of us have broadband now, but its too big to expect people to download.
For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.
I mentioned that none of the attacks recently patched worked on SP2, but there are other attacks out there. Most of them are targeted at the shipping versions of Windows and Internet Explorer, which is pretty reasonable from the research standpoint, but I know that theyre migrating to SP2, just like everyone should. Ive tried to test a bunch of them on SP2 and found one that appears to work. It involves inserting illegitimate commands into an onmousedown handler, and the potential for doing real damage with it is unclear.
Very few actual day-zero real-world attacks have occurred and almost all the attacks we see are in fact combinations of exploits. This is all the more embarrassing for Microsoft because it means two or more problems werent fixed in time. This sort of thing becomes possible when Microsoft takes many months to fix problems that the whole of the security community knows about. SP2 could change things, but Ill be surprised if the monthly Patch Day and all the excitement that goes with it die off.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: 
More from Larry Seltzer
|
|
�������x}kw"Z�
9;;n�6�c�oÌ3.V��:n{w7'oUţ
'}8��(IRT*!{I"�>2 Gs�=:tA�,ޛ7o}}��ȟ3-C�;n=dȐC�~w(Īgi�7�6G�҂_d�!gBBm׀{G}yD%ӞعߜI@ؓ�Ith m��r'"bx�#�(A������C۴]RJ�63g ]C7�[G]c��:.�S/�b@RhfhRӨ�ߔCbp`eF�S�F>4}��ڮ���L]:g/Gr#{�+4w9мijX*R˗�R֬wCFg�vrC{nXokB)(U:C|���q�u��lm1>x]Z�}rvzuqV�4ny��vy/ȯ0ȷFD��y Z*YOZ]$O%t6�(ln�~Rڪﯭy�<-�_<�$=LrO]����j
m�lR)V%5�IuL}u}B2,OdwJ~9]^��Czny�J�ݔUdLDȏ�KjF(Ú�y>�%���"-��:2�vfy5P*o4��!0ND57�f�I�3(,e��gA�N)��41G��vf���ſ8ř/\PEP�_[�0jJѧTwQQ��b%ax̩a>-+�>�D#ʠ�:광b�\�熯���hC= ;L ��acAwi.[ M�9H_,}�T1�$ƌzN=UAE�$�h��-DAwG�ˆEfB㞂:��۽�ښA��(QΚҁ4=мa��!y�jR;��*~s`�݇md=
�w�L�ߣ1�#놩���T<�ĥ�P�V\Qo�DЧ�dRJ4�G�!"�5i]N�P@B�r68
�-�4rr����<�zZ,ĵb��P,n{��F+aGe�5n_
�df�2I,Ipn3!U~�G�,]E`z9r,T��.�i
/��6Jԭy�BAiZTO5�&cch�f#tA�s�&l`a�T��D%LEw\,O�V�Xĵ�p?7o�
tsk,ะaAXiŪ9g)5���j\#,TS
ݜ��l�pJB+p5,�_�ȅe�5~���{�r�gxGn:mb[r>�{2���yvv[�_��z[.z8
8�r!�N5kb�$�ӠC�O
6q^i�[�ſTc˦rkbfTIn^hћAx(�LR[k�
�RT�{
�N-Z
WZڄ"��JM:P>L2P�Eɥ%�tU2��q�nQxm�{g�k+]P�We_Mo
}d4vX*EM�8X3wl�d
�xA�F�F<`AD}f�&�$��=��myHnS>�E��]�G1�`;SۋppJa)e@ΨԊ�;L,�kaqA�}Oƍ/Љm%�kp�:po�ms1s�Z�.V6ݳ꾰#]5ޅ1�"�Al��"=Qp$'jL?�pl/R3&Ŀwugڱ�j�1݅E�4碾TT�~�G�[�d"�vd6˰A�m��ۦi?#�Ob+n-Ht�iEriXs�P`�Pۄ3c@L,��`�Ƕ;r3]%aabuNnQ=O`�n�=|o`" 2l�3��/6ftI% i�4Q+J)F�� ` L] {TwSyv{3$u`m��>(epFL`^��\�|�� B
�Kg"R*cE�c�Ö�YCÖW�یЄ��r;и
re\̠
,sn{1)'@S(f<�a}{<�ڗ>9g꼻fþ17G>)>k냪̦;PM�3��SK)#�*# 4c�0���VWc#s�q+@#t4�.+�Nj�Zadt�Z/YQw��,�1��8�D"
Ψ7{xۀ�(a�)Z��zo�<ٲI�'_Б!I�dA:��<ݐ+�!l�wY�0r���AC5"萰�� ���ß�E�6(9S!vV�;+js�~
q�2�H��%�ނkSsCŵP���6�Ъc�
>̆u��*j%}Z�AcZq��Lj� LuPȀh%|3�[� 2)>8x�dVyGM)nΚ
���B=Gm@$�L|4S(O{[VMOOVа4�s'}&-o^�g�y�7�Ӟr�ם^pȴ�h�(� 6|o��2��R)ƍQ3)��ccȡ��#W5��%
lH@/"k�>��u�4AaϘɗR-V@ c���Ix}�|�mkD�%X�hb9F�J9��ޡx�P��R7@yZ@ˉ @ѪUZ�Z`U���_�cn'`ƌ�wOJQ)zV�EZ1�c�^.c�=Yn8s�i-}KU>}Дю�"eδɂ7(&��C�iB/-1tm\bbvq�'CU"O[��1�$y
lSB\/B
߁`^����{Ȋ@G�(~�(\{C>�m�
^D>s�'_�Q]x�UM|/E%&~티!WӼF�i�h�av�E[fb�o͕pZ=;g�H~�uB�5y)UŜerI8M�Q�{'�K,%./@^z82z6�ŭQhh^m@��f\f�GK42n▨i$: �5e�VG*}$�dUTU :"iJ^R+/0Ӂ:twH&~�gJd@*�4�]�-�˥L=٘ȥ1��qC@aITyTdR"Y@r�ϴ�J2�x>C���`t>��X8�'?�lgHH�F\oaǏWXMm<�ryxK�M�ܯ$DDOCVlD�g'A��+1_M�1Hwa�zUA-6A���E6 NmIT�~�ZgZP�NǙ0k²�rˆhAケmΏH^cgtּl_|:+@#XW�~OJu;WGuXk~��J�xU�Ծ:mrD5�t>\J��tȞ6KM� $ȅ��X�L��j$9Ĩ}/vnK7��mv:�����2S�4r:�e}J|Isѹ7j}Ւ⽎:עΓ�!5��R@!pWV&��a��ڎ6�N $�Z]?8�i8t=�P}�i���B[�KuÉ�\9�kq*D|x_5�g@ܰXa4P5�|m�XsFwސP\��b��&�`�$خ�*��Xu2ݽh~
ol'e�؋N'�
m! D785�S*PW2��EH��q�A&N['&'
"&9WxEщm
<�~�Ib
\
�|~i1џ/W`�
eڃ�Ο.V|ۨ'?!!)�/�)��.4t칏N5`p��]R�qlu�z{DhDR��9mũpͣtOӖO|�BB�Q�J;Q<�u?Is6�vWP7%M<1CNmI��2%I�Bϔ em$Nj�f�k��C@$_܉Iv(+6HdAͫ�J�c�]eyWj/6V")#�n.0?w�\% � �q�k4/@��1Rr;8!Ţ�鳁�}+
ŏ]xm�� �a%���]9"9+вojYbes�5�5[x�llQ�mx��b1��?nWa0ϲ]hta0,ǢÈ|�u/�Ԍ>~�6��F�' �{c�#'䜁n-~ne��ue's'ك{)SV�%{ֲOKr4�]9gnGdLg�!I ɩ:ev7=oʜ9%++fxtu2a��ׂ(�o%(P2PtI�rskȎݡ;ۃ�>ȥ'~veك��rx5?W2n8E~!B!CR�KgYnQu�D� �Ɗ�x/)E9�n.2�FY:'%:#ڮ/=a��v�ΕoO&&�m;�]ktn1Ƅց0c�2مE{yg>ld��AX9Mw�V�v9$81<��/ ġ[euw+[c���cc;ȯ��F%%wox��Sϰ&l�@|אr�hZ0y��ancZ�q8|+؊wf_��ϒ�5oNOւc3�cpߍ�n2\_m�ZR������o�j{n�n�Al_g�\��4V,-Ũg?5,�gk`0_�q27FnWЌ#@tƨrG�6h2'+x7c#Y65t{>,�%?Kte�D!l5pD=:3,ɚ=GP>TjI@Ž#� l
x;qv&q'%\�xɷ%C
ևlu
Rv �\p>Xxփ_|d#
��l[ѣUZGM}2lAXWa�oA�87-A�<�kxߠ#݅�`l∍Lm/M2f�H9�Zb�F��5�Ŭ&]��Y<᭗NB;Lƛ%#[�S /s�2QQ� �v��CR-6!�Dzb9�#/#���iMYA�#4ԳW[&'�T�NAgxHqK�LbuLA�#/Ԡv��FZ�^Cuye^E~�|woF#�JLBT���lߕ�5! !Mw-9JAq)_ȫŐ�ŤBWc&���a�G:0RLF�ϻ�MI囿����v�zc#d%g�x/V�7RJ{uj=:mҵ4] Cj_k���u b�A�i�֕E6[5��Ck<]f'R(IH
mI!Z
F)=.}qu*6�{�T]ɟR����fY*�UI!��LBl���L� ��&�WAL_
[�sk(U%«˫[ßJ<�+��,1ݙ}�B�%�_��(K8��p0_�i{.mRzW WTe[):P��)��I�7,O{��ZU
)�A%-������lU|�R�|쎃UXiM���:!~�]݅���ذ�l�`�JIX�D849XAj|�!1im�f�]R�j�p�[�ۉzږz_zz.KMw2�J爫��y���$6/RZۊ�`�3��>$�2�m/� }^{~nZ�ۭ[p)"�S_H0]�_�61hMÛJjPnO�-�l`�$h�Z a�[f5q�5x
([RM?&^az&wLJDt�{lã�36 5%.#??"b�%I�> �I�f�&O/�^ iW�%�t1.(#KR�$N^붃)�ӅɞKBj(ANH
(傪U*�f�˩
NH�$vh�|%/ܞ���kK:�VZLw0
pz�O*{cD=a5<�1OqK]X,L*KWRZ)W'V{(��'htŭ`h�TF_��ҫSudRb@�]"�
\A0w
o߷g��m|ܬXdfAt_$YZrQ+~s2+T@�k�#?W-/��]<5
c;i%Oc}M�\AWTv'Y-wŷIfn5�_x�#�o���c�9b
�KK3q#Cm[A��6`�l�j[���GYazT��&�6kr.t%AZ.�:Jh&≜��[�zl¯�B$��S�XubCح8tF87�ɧ(%,⌱ffm����9s��E5R��"J�G+9�[=%:�fm+X�so�}��G%^*Ҷ�^)9voQ$o|<���iʀ{�690�(AU�S&p�]oހ\<@�!Y�==,�L
5;���_,�=T�b1tq*{�o�~�!CP�*�
�~�)�%CJ��8|�=FOBG+BQE�Nwj�M�}�
ʟ�*�OrP#L1 }�M *a�7@~7ꨯL7.J'`=L!AhcJ�;*��1sl-^DL2���xbu~�LpQ-
Q q�D'{O@=�r ��=^i�)�șݞ��%e�tלS|l:
G�je:�6�#/e:~]x�v�sH�Cְjl`��vN4�#HdO$ Æ~y4場~D?�S٦I]1>�,9΅�{�+>4�$�Ť�AI�҂�B8ɩ�ĨW�l"�H"�F:)-���FX�GBJ��Z�O��x�ǍY$��.'>�l?�Q�X�ѡx�7
8?X;͕�a�6ǜMEf^a�/z�T9�s\:$VG ]L1x}��[=��aKRA5�ArCu�s��_�*�R!��ϟO�|Y=�Ha)F<�+�&O^oۦd;�b=��ڹr�[+1~Kly�5�JrS5�7�uθ��u}:
pL�Kc�c�e�z"=�y #?tke�lM/���')3"Y7\h ��0!�5.��lWWɗKSJQ-*5gA��M)k*�1r�. _�9hqd�Z{Cq�ȭ'F^,j|�yKw�il�#Va�*:z[M���F<<Q,턂b>BWQ��.�b>X���m>V-�V]I5^Z(]{Lcď����7�zX|E5Bo[q{y��`�g�FQ_`#�i*pm[,&{3�EM"!�
z�#/T�ګў0,9)�I\|fZ-j9V$G4K,2; � d
+�]s-C?��t_G�":thс_�ފMX0adj4VԞ�k
#0�rrM E�hej)Z�k"50�U<�1�1t+PHjN�TL0Y�\C3 ]Fg/?QHUA-v
O5
�H]i_8?AnIaH&Ũ�N@ ^�'=^�F�S�U&�N�yT>T� "�GO�_
�6aVz�q>G)|m}p��χd&81��xs4`3;$�nX�V{+$μO��ɴ��_5I��� �Z|�U|P\'m3C}AZV颅� ��i|aQ^�H��_}�ڎY���0
K*0
����w:Z�!� ȅ{�/A�]ém`\b,�>O�.7�
t$rM!�i��7W]1@-}B~b���́
,nZD��A%れF ��<"m
]7.nrjƘ[v����5"t�|�acמ��>_=Kv��:rtT/+ʡ�|g���a�scO�fbG7g�;%IDRxzNb�]�$�BнӜh� ?4FW;Sc,0}�.ƌ��]ZVAJRW�L+yf�ޕa+�뱊A�ʟ(=
;%e$K=ɕ@%ZA��eȘq~�{o��O�У.6#�T9f�OsC"�ݓuݹ"ǭ-^w¶-R%�u�wN?t?Z7^qfMv>J4%ۼ6��/
�rq/@]5/[LOSʙhRk¥,�%
E
w�"�BR;�+]a-5
s�[N�RsW��e|:�,Y&���kU4,1X!4�fm=AF2_h?+1sOºύh>��su=nνb2-XѦ�Ry5~^9=U���M�"{11vS]�{l`W]!=fD7??�e*m
�4�lAptr�c͢ln7��fH{�`
֫K<}�.�m'}p=6U][��Xs�'Y��[\2�ܴ{XA�i\5/-hgbϽys-;7ژLڸAņ'a4�uv[C�(\';�=�2rgj�/}`q0X9+hA�<@#��dϽG�!NφE B�~��&` �tG�ȥ�.LeUzyt;�18��,^bٴ`ء�j�;-cH
$QUE�dHX%G��D=f�I>��L#q{̊�GT{aw�:�.
]COy]QvOx�9�F
n+�Q[Y}�;�n�vV<Ĉk?E<�^60p*'*PL}v1�1)�E�1ikО/�Y�BeO�vʄ_o�ðh_o=N6"V'ٷ]`iM
�ůD|݅NL{>bsf`)�j&�tP7qytϵڹ
X�_H]ݍ:�䏤yj@@|vU �
��~jxCfL~^�.7��X/ˈ�;0mB�?ŻI�#g1MHkfAl!�|aXGB��w}CIwၚ�"
.�^�em�^+%#�e{
I��L<-1t^���l�ɡ>�o_僇rB�lX+.Ġ/�>'g4wBO-xYugm�'Ǟmј0_��cVP"���udzԤԶP#hI6�=8��O1``a?�>N@>AыpO`�z�B~`3%��H�+KESXN�A��}FVW�_7 b
ge&"5@�gYlVxSHN=5m�cz0)�u+�9�م�7�S.�_�Z�oe�@DN_D�z��~g0S^��6pc|#��>�:"[32Q9֒�_6gwc[ى[K֟9[۲B/�&�]
a��)Hpi9yD�X%�sDb��1۠(,�YJ>=�6T@|�%{6HDR��}F�0J'.}NuӟJ'
��&,ڍ�K�c.ьai#m'%8�4��>ؼQ�ֺ��O66X�}D�҄3�^p祎P��hU|�,>cy 'wl�&�Mī� 0}�nJ��]ַf2KHG����d���m�-I�U`"{N}r8ˤ`k��욇
�|���0FĶR]E�i3�{|��@ ] o`PSk�+W�ea$ցiv�d>a�R'H�x;t[�Q~: �<Ш�1XLav�E9b�7M���v�RmRo#(+Nm41Ȟ<Nuw=��ve+{lC760*
<�Mo��Ya1 g'[yүy~{��#>
3�x}z
2n^;FfB~ea��EZϼ:;ʆo/pQF$V#01/�y䕔tlH�����m=�PX�1#��N�R�(t;�ug #�
i�ۂ�v�<ׇk4��S$��ˉ,X)�>jWNvTʹmSѼE5�|yylR$|�C]�A,G~}�gLo萵��9{"�Sۄ)w0ЕD0�=3��CG�#��׀ T4<|js�X�
O��(f" ţ�8ZL+bB�#ىZsR&.�399E>d�>�GjF7L.�
dZ\?م�t&���ε�Cg�%?�8��}��
}{ ŗ$VSX7�X Z�^44uk2�Y�}��(Aq{.8�<:�{o1ُG(GR'x�>� ��Aw1\>2�_�~k:��ԂnK=�/{]�&2콡&�R�d`�YC2�'Q��(c>�X�5>FV|_�!b�98n'j�*�r���)zF~"з��ꐺ4�eq@XҨ+5�9~YfS4�C3��S<�mA%�^*�8jáf�?̱b>�r�c箕��� H0]57M�}e>2(CtH�3�8�L�i'+,H��y81aC��ɜccW07��tj:u9,啲�\"$sBtX9Ԋ
>+û>�2�)^Nx�cC�س2y(`>KlTEQk{,�x%W�r�76L� G"8S}_d+8��Aw.�{
7ci1��R+A*+wP�U,-DXb?cTSde俓MtOn:��Qď⥴R}��+T�bөbF�xZ�ǯ%=A#��D]'��L5Q��֭��ŠȍcnX`]���5W�@��R��tv�Кp2Mv��'ށ6Bt�F04Z@z
�k�Y��p$LA�{d`�J.#fv�=lܳ-�HM|9gȃĿ|V"݄
K�K���gȆB1A%�a2>kg�f A,_ٖnq�}�T�<.T"4!�cO�/ &?H6m�ޏϧʉ�nOf=_@5mpj}�Kg<}$y.h/�C*u$ݢ`-]k�>nB;�9Avc❹8" N𗩘e:^��3�^@,w#xYZsJH��n&M\$=ilBaz"�Ч�,ʱhoqkHo64ܥd�FԻ\�SjkOXP���{W1!C
Ǹ�vz�"yV4H{\p�:1nfy;ϗ��6+q��j�&`cveCC�+�\d]�x @o�1)}d0#"yB�R�XVɗRU}G�|(ᔈ�77&5~;X3E$(6�17'A@N'�
�aۑivwHM;a�=*@d��C벇Y>�lT.Zp�D' 0��~v{.Zk�PF盃UO:k^/>� \}��M�=<�VjtۿBE�F\z}j?�>\tn�ʎSo:�NDx�,tnN[I��B�Vyzھz�/oy+7vQ}�͆���v>C3�BU+iX��w -�b �
|
Network Security & Hardware 
