Story of a Dumb Microsoft Patch

Cesar Cerrudo tells the Story of a Dumb Patch (PDF) from Microsoft. Dana Epps called it a Microsoft screw up and makes an important recommendation for dealing with data coming into a function.

UPDATE: There's a Slashdot thread on this issue.

Also, Cesar e-mailed me the following to counter Microsoft's response/explanation which was included in in my coverage:

Hi Ryan,

Just one thing to clarify Microsoft comments, because it seems they tried to add doubts and to discredit me:

Patch MS05-049 addresses three vulnerabilities:
Shell Vulnerability- CAN-2005-2122
Shell Vulnerability - CAN-2005-2118
Web View Script Injection Vulnerability - CAN-2005-2117

Shell Vulnerability- CAN-2005-2122 is the one on patch MS05-049 that was improperly fixed on previous patch MS05-018, named CSRSS Vulnerability - CAN-2005-0551 on patch MS05-018.

If you have any doubts you can contact serious third parties, I bet they will confirm my findings.

Thanks.

Cesar Cerrudo,
CEO & Founder.
Argeniss - Information Security

UPDATE 2: On the MSRC Blog, Stephen Toulouse has addressed this story in a candid way:

"Yes MS05-049 was a more complete fix. There’s no two ways about it. Should MS05-018 have been a more complete update to address the underlying vulnerable function? Yes, Cesar is right. But I want to reiterate that MS05-018 did protect against the issue that was brought to us. We don’t want people to worry that there was a problem with MS05-018 or that it didn’t protect against that the specific vulnerability it was designed to address...

[W]e’ve taken a look at this situation and incorporated some lessons learned. We will work very hard to help ensure something like this doesn’t happen in the future."

A correction for Toulouse: It was Cesar himself who called it a dumb patch, not "some people."

12 Months at the MSRC

The newest issue of (IN)SECURE mag (PDF) features an article by Stephen Toulouse on "12 months of progress" at the Microsoft Security Response Center (MSRC).

Not much in the way of news but still a nice overview read.

More IE 7 Security Details

On the official IE Blog, Christopher Vaughan Eric Lawrence talks about the changes coming in IE7 to improve the security and user experience for HTTPS connections.

Call to Action:

1. If your site requires SSLv2, please reconfigure it to permit SSLv3 or TLSv1 connections.

2. Ensure that the hostnames used for your secure pages exactly match the hostname in your digital certificate. For example, using the certificate for www.example.com on secure.example.com will result in an error page.

3. If your site supports TLS, please ensure that it has a standards-compliant implementation of TLS that does not fail when extensions are present. Testing for a non-compliant TLS server is as simple as navigating to any HTTPS page on the server using IE7 on Vista Beta 2. If IE7 fails to connect, TLS extensions are the most likely culprit.

Exploits, Botnet Client via MS05-047

F-Secure is reporting a botnet client being seeded through the security vulnerability covered in the MS05-047 bulletin released in the October patch batch. FrSIRT, formerly K-Otik, has released an exploit for the same vulnerability.

No word on whether the two are related but this is worth keeping an eye on.

A Subtle Hint?

Mary Jo Foley: "Some Windows 2000 users are starting to wonder if Microsoft's growing list of Windows 2000 patch problems are a not-so-subtle hint that Microsoft wants them to upgrade. You've got to wonder..."

MS VirtualWiFi Not So Safe

Because of security concerns, Pejman Roshan says businesses should stay away from the Microsoft VirtualWiFi technology.

* Via Om.

New Playing Field, New Rules

Microsoft's Jesper Johansson: "The information security discipline is heading for a crisis unless we start working on strategic security, not just tactical response. We need fresh thinking, new thought, and partnerships with those who use our systems. The bad guys know how we operate and they keep using that against us. To get out of this situation we need to stop just raising the bar and instead move it to a new playing field; one where we get to write the rules."

More Unpatched Windows Holes

eEye has flagged another code-execution vulnerability affecting Internet Explorer and Windows Media Player, two products baked into the Windows operating system. That makes it 7 unpatched flaws found by eEye alone.

I'm having coffee with the eEye guys on Thursday. Really looking forward to picking their brains on Windows security issues.

Redmond and the 'B' Word

The estimable Mary Jo Foley weighs in on Microsoft's calculated gamble to bundle security services into Windows Vista.

Counting Vulnerabilities

The New York Times sits in on on Microsoft's Blue Hat v2 and offers the following:

"Microsoft executives also cite a decline in the number of security bulletins issued for major products like Windows Server and Office as evidence that the new engineering discipline is having an impact.

There were 69 such bulletins issued for Windows 2000 Server in two and a half years and only 41 for Windows Server 2003 in a comparable period, the company said.

Eleven bulletins were issued for the 2001 version of Office XP during the first 594 days after its introduction; for Office 2003, there were six bulletins in the same period. For the last two Windows XP updates, 35 bulletins were issued for Service Pack 1 in the year ended last June but only 18 for Service Pack 2."

It's quite amusing to see Microsoft touting security improvements by the number of bulletins released when it's commonplace to find multiple vulnerabilities patched in a single bulletin. An example, in October, Microsoft issued nine bulletins that patched 14 bulletins.

Just for fun, I'll do the flaw count for the period listed in the New York Times story and the results should be interesting.

Spyware Protection in Vista

The latest build of Windows Vista contains quite a few changes to the Security Center. It now contains five categories instead of the three now in XP

The Security Center now checks "Firewall," "Automatic Updating," "Virus Protection," "Spyware Protection," and "General Security."

The addition of spyware protection, we're told, is the core Windows AntiSpyware product and is sure to raise the obvious questions about unfair competition.

Close Port 3372

Johannes Ulrich, of SANS Internet Storm Center, makes an important pre-weekend recommendation:

"The obvious thing is to apply patch MS05-051 on at least your Win2k systems. We do know the port 3372 scanning started in full force, likely in order to acquire target lists. If you can't patch, at least make sure port 3372 is closed."

MSRC on MS05-051 Exploit

Stephen Toulouse: "There's been a lot of talk today about exploit code, specifically around security bulletins MS05-051 and MS05-046. The good news is that we're not aware at this time of any exploit code being available publicly. Currently we've been told the exploit code is only available through third party fee-based security offerings. We're not currently aware of active attacks that use this exploit code or of customer impact at this time."

What's Your Password?

Jesper Johansson, senior security strategist in the Security Technology Unit at Microsoft, puts forward some valuable advice on choosing passwords:

1. Long -- A good password should be at least eight characters long. The longer the better. Passwords shorter than eight characters are inadequate today. If you are trying to improve password strength in your organization, teach people to use longer passwords that are not based on common words. One technique is also to base passwords, or better yet, pass phrases, on words in other languages than the primary one at the site.

2. Complex -- A good password should have a mix of all the four character types, uppercase and lowercase letters, numbers, and non-alphanumeric symbols. Preferably, all four should exist in a given password. Remember, any character on your keyboard is legal in a password. Using a pass phrase and interspersing it with randomly chosen characters and spaces considerably improves the strength of your password.

3. Changed frequently -- A poster from NativeIntelligence.com has a great phrase on it: "Passwords are like bubble gum; they are better when fresh." Passwords should be changed every 90-365 days, depending on the value of the asset they are protecting and the strength of the password. If you use eight-character passwords, 180 days is a reasonable change interval. If you use nine-character passwords today you can probably leave them valid for 360 days or even longer without a problem.

4. Used only in one place -- Reusing passwords significantly increases the exposure of the assets you are protecting with the passwords. Essentially, any given asset is only as secure as the least secure computer that protects that asset. When you reuse passwords the asset is only as secure as the least secure computer where you use that password.

5. Used only by one person -- Another characteristic that passwords borrow from bubble gum is that they are much better when used by a single person. If at all possible, each user on the computer should have their own account with their own password. This increases accountability and decreases exposure for the password. If you allow multiple people to use the same password you effectively give up all possibilities of monitoring their actions unless you install closed-circuit TV systems to oversee the computer.

6. Not typed on untrusted computers -- A password is only as secure as the computer or network it is used on. Keystroke loggers frequently target public kiosk-type computers, such as those used in Internet cafs, conferences, and hotel and airport lounges. The instant a password is typed on one of these computers fitted with a keystroke logger, the asset protected by the password is no longer secure.

And the most important bit from Jesper: "Writing down your password is an excellent idea as long as you adequately protect the medium you wrote it on! Doing so allows you to remember more and better passwords, thereby increasing security, not decreasing it."

Does Microsoft's SDL Work?

Michael Howard offers an answer in this essay on the implementatioin of the Security Development Lifecycle (SDL) at Microsoft:

"The answer is a resounding Yes! We have seen the number of security defects be reduced by approximately 50 to 60 percent when we follow SDL. The simple fact is that every product touched by SDL has fewer security defects. Period. And that certainly makes it worth pursuing."

MS05-051 Proof of Concept

Dave Aitel's ImmunitySec is the first to post a working proof-of-concept exploit for the worm hole patched in Microsoft's MS05-051 bulletin.

If you're running Windows 2000 (yes, you Wolf Blitzer!) get patching!

IM Interoperability and Fear Mongering

I can't believe so many writers fell for this silly IMlogic flackery.

What's Not Patched

Today's patch day was interesting for what it did *not* fix. By my count, 4 of the 10 eEye-discovered flaws were addressed, leaving 6 unpatched, including three that are 136+, 99+ and 81+ days overdue.

The Jet DB engine flaw that I recently blogged about is also on the waiting list after more than 5 months. I asked Microsoft about this during an interview for my story today and was given the "patch-quality-takes-priority" excuse.

I say it's an excuse because when it takes that long to get a patch created and properly tested, something's very wrong with your process.

Microsoft Security Racket?

John C. Dvorak: "Does Microsoft think it is going to get away with charging real money for any sort of add-on, service, or new product that protects clients against flaws in its own operating system? Does the existence of this not constitute an incredible conflict of interest? Why improve the base code when you can sell "protection"? Is Frank Nitti the new CEO?"

MS Virus/Spyware Phone Support

Not sure how many people know that Microsoft offers *FREE* phone support for virus and malware-related issues.

The number is 1-866-PCSAFETY or 1-866-727-2338.

It is available 24 hours a day for the U.S. and Canada. For phone numbers outside of the U.S. and Canada, Windows users can select their specific region.

Slipping Through the Cracks?

Just when I get suckered into believing the MSRC is on top of patching security holes in Windows products, along comes something to jolt me back to reality. Does it really take five months to address such a serious vulnerability?

I remember writing about this back in April when the first warning was issued with accompanying proof-of-concept exploit code.

Now that customers are being affected (see this Symantec advisory), will Microsoft rush out a patch?

The MSRC folks appear genuine when they talk about responding in an upfront way to security holes. But when evidence of unforgiveable tardiness come to the fore, you have to wonder whether some things just slip through the cracks.

Antitrust Questions Swirl

Microsoft Watch's Mary Jo Foley and I wrote a piece exploring the antitrust question swirling around Microsoft's aggressive push into the security (anti-virus, anti-spyware) market.