Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Patch Day Takes Down Some Big Targets, But Problems Remain

    By
    Larry Seltzer
    -
    July 15, 2004
    Share
    Facebook
    Twitter
    Linkedin

      After two ho-hum months we all knew a more significant patch day was coming in July. By the time the next one comes around, Windows XP Service Pack 2 may have gone “gold,” changing the landscape somewhat. But there still may be patches, even in August.

      I took note of the fact that none of the recent updates—neither those on the recent Patch Tuesday nor the “configuration change” a week or two earlier—showed up for Windows XP SP2 users. And none of the attack code I tested on SP2 for those vulnerabilities worked. There were some claims that the shell API update (MS04-024) didnt work, but as best I can tell, these claims have been discredited.

      The two critical updates got most of the attention from analysts and the press, but I was more interested in MS04-024, which addresses a vulnerability that has been known for some time to researchers, and for which proof-of-concept attack code had long been available. On Microsofts conference call about the updates, several callers asked what I had asked: Why was MS04-024 only deemed “important” and not “critical”? The companys response was that an exploit of the shell API bug required user intervention to invoke, and that it is not “wormable.” Im really not sure this is the case, but in any event, dont believe Microsoft: Treat this one as critical.

      /zimages/2/28571.gif

      And while they called MS04-022—aka “Vulnerability in Task Scheduler Could Allow Code Execution”—”critical,” Ive seen research to indicate that this vulnerability may be easier to exploit than reported. Turns out browsing a directory in Windows Explorer in effect invokes the same vulnerable DLL in order to render the proper icon for a .job file (a Task Scheduler file). In any event, “critical” is “critical”—theres no “super critical”—so its not like Microsoft underrated it.

      This Task Manager bug and the IIS4 bug in MS04-021 are quite serious, and even researchers learned about them for the first time on Tuesday—at least as far as we know. There wont be any day-zero attacks on these. In fact, I think the severity of the IIS4 problem is being overstated since: a) IIS4 is a dying product and soon wont have any support at all, so only a fool would run it; and b) its not vulnerable in the default configuration.

      From what I see in security scuttlebutt circles, Microsoft took out the two biggest unpatched threats out there with MS04-024 and the “configuration change” earlier in the month that set the “kill bit” on the ADODB.Stream interface. There are other threats out there, including some that can potentially execute arbitrary code, although thats not proven. The help-related bugs patched in MS04-023 were also long-known.

      If Microsofts response from next month on is to say “SP2” to every threat that comes along, then they have a huge burden to get SP2 out there as widely as possible. I want to see it at my supermarket checkout, in the bag with my Sunday paper. And they better give a copy to every kid in every school. Lots of us have broadband now, but its too big to expect people to download.

      /zimages/2/28571.gifFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

      I mentioned that none of the attacks recently patched worked on SP2, but there are other attacks out there. Most of them are targeted at the shipping versions of Windows and Internet Explorer, which is pretty reasonable from the research standpoint, but I know that theyre migrating to SP2, just like everyone should. Ive tried to test a bunch of them on SP2 and found one that appears to work. It involves inserting illegitimate commands into an onmousedown handler, and the potential for doing real damage with it is unclear.

      Very few actual day-zero real-world attacks have occurred and almost all the attacks we see are in fact combinations of exploits. This is all the more embarrassing for Microsoft because it means two or more problems werent fixed in time. This sort of thing becomes possible when Microsoft takes many months to fix problems that the whole of the security community knows about. SP2 could change things, but Ill be surprised if the monthly Patch Day and all the excitement that goes with it die off.

      Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

      /zimages/2/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
      Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

      More from Larry Seltzer

      Avatar
      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×