Vulnerabilities / Threats
3/16/2009
04:58 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Microsoft Stands By Its Latest Patch

The company is defending against claims that its MS09-008 security fix doesn't work and that the vulnerabilities could be used to hijack network traffic.

To counter claims that its MS09-008 patch doesn't work, Microsoft on Friday explained the proper way to fix the vulnerabilities identified in its Windows DNS server and Windows WINS server software.

"There are claims that this update is ineffective," Maarten Van Horenbeeck, Microsoft's Security Research and Defense Center program manager, said in a blog post on Friday. "Let me be clear that this update will protect you and it should be deployed as soon as possible."

The vulnerabilities have to do with DNS spoofing vulnerabilities, with the Web Proxy Auto-Discovery, or WPAD, and with the Intra-Site Automatic Tunnel Addressing Protocol, or ISATAP. If exploited, these flaws could be used to hijack network traffic.

WPAD provides a way to automatically configure the proxy settings of computers on a network.

"This vulnerability could be used to launch 'man-in-the-middle' attacks on Windows DNS servers," explained Luis Corrons, director of PandaLabs, in a blog post. "The Web browsers of the PCs in the network are configured through these WPAD entries, so a user that is getting the proxy configuration automatically could be redirected to a malicious proxy and the attacker will have access to all the traffic of the user. To perform this attack, the attacker could insert a WPAD entry in the DNS server when dynamic updates are enabled."

To fix this problem, Microsoft's patch adds a block list to its DNS server. The names on the list no longer resolve as domain names. This prevents an attack from registering a WPAD or ISATAP entry going forward.

But the patch does nothing to fix an entry registered before the patch was applied, a feature that Microsoft says is necessary to avoid negatively impacting legitimate users of these services. As a consequence, systems on which the MS09-008 vulnerability has already been exploited will remain infected after the patch.

"This is indeed not a scenario the security update, or any security update released by Microsoft, aims to address," explained Van Horenbeeck. "Security updates are intended to help protect the system against future exploitation, and don't aim to undo any attack that has taken place in the past. The update does not actively change the current configuration. When installing the update, it has no way of knowing whether the WPAD entry was configured by an administrator or an attacker."

To fix this, add "wpad" as one of the values in the GlobalQueryBlockList registry key and restart the DNS service, explained Corrons. This may not be the end of it, however, as compromised systems may have acquired additional malware.

Further details about MS09-008 can be found at the Microsoft Security Response Center blog.


InformationWeek has published an in-depth report on Windows 7. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4734
Published: 2014-07-21
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4960
Published: 2014-07-21
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-5016
Published: 2014-07-21
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to appl...

CVE-2014-5017
Published: 2014-07-21
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter...

CVE-2014-5018
Published: 2014-07-21
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.