Vulnerabilities / Threats

3/16/2009
04:58 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Microsoft Stands By Its Latest Patch

The company is defending against claims that its MS09-008 security fix doesn't work and that the vulnerabilities could be used to hijack network traffic.

To counter claims that its MS09-008 patch doesn't work, Microsoft on Friday explained the proper way to fix the vulnerabilities identified in its Windows DNS server and Windows WINS server software.

"There are claims that this update is ineffective," Maarten Van Horenbeeck, Microsoft's Security Research and Defense Center program manager, said in a blog post on Friday. "Let me be clear that this update will protect you and it should be deployed as soon as possible."

The vulnerabilities have to do with DNS spoofing vulnerabilities, with the Web Proxy Auto-Discovery, or WPAD, and with the Intra-Site Automatic Tunnel Addressing Protocol, or ISATAP. If exploited, these flaws could be used to hijack network traffic.

WPAD provides a way to automatically configure the proxy settings of computers on a network.

"This vulnerability could be used to launch 'man-in-the-middle' attacks on Windows DNS servers," explained Luis Corrons, director of PandaLabs, in a blog post. "The Web browsers of the PCs in the network are configured through these WPAD entries, so a user that is getting the proxy configuration automatically could be redirected to a malicious proxy and the attacker will have access to all the traffic of the user. To perform this attack, the attacker could insert a WPAD entry in the DNS server when dynamic updates are enabled."

To fix this problem, Microsoft's patch adds a block list to its DNS server. The names on the list no longer resolve as domain names. This prevents an attack from registering a WPAD or ISATAP entry going forward.

But the patch does nothing to fix an entry registered before the patch was applied, a feature that Microsoft says is necessary to avoid negatively impacting legitimate users of these services. As a consequence, systems on which the MS09-008 vulnerability has already been exploited will remain infected after the patch.

"This is indeed not a scenario the security update, or any security update released by Microsoft, aims to address," explained Van Horenbeeck. "Security updates are intended to help protect the system against future exploitation, and don't aim to undo any attack that has taken place in the past. The update does not actively change the current configuration. When installing the update, it has no way of knowing whether the WPAD entry was configured by an administrator or an attacker."

To fix this, add "wpad" as one of the values in the GlobalQueryBlockList registry key and restart the DNS service, explained Corrons. This may not be the end of it, however, as compromised systems may have acquired additional malware.

Further details about MS09-008 can be found at the Microsoft Security Response Center blog.


InformationWeek has published an in-depth report on Windows 7. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
To Be Ready for the Security Future, Pay Attention to the Security Past
Liz Maida, Co-founder, CEO & CTO, Uplevel Security,  9/18/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.