Vulnerabilities / Threats
3/16/2009
04:58 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Microsoft Stands By Its Latest Patch

The company is defending against claims that its MS09-008 security fix doesn't work and that the vulnerabilities could be used to hijack network traffic.

To counter claims that its MS09-008 patch doesn't work, Microsoft on Friday explained the proper way to fix the vulnerabilities identified in its Windows DNS server and Windows WINS server software.

"There are claims that this update is ineffective," Maarten Van Horenbeeck, Microsoft's Security Research and Defense Center program manager, said in a blog post on Friday. "Let me be clear that this update will protect you and it should be deployed as soon as possible."

The vulnerabilities have to do with DNS spoofing vulnerabilities, with the Web Proxy Auto-Discovery, or WPAD, and with the Intra-Site Automatic Tunnel Addressing Protocol, or ISATAP. If exploited, these flaws could be used to hijack network traffic.

WPAD provides a way to automatically configure the proxy settings of computers on a network.

"This vulnerability could be used to launch 'man-in-the-middle' attacks on Windows DNS servers," explained Luis Corrons, director of PandaLabs, in a blog post. "The Web browsers of the PCs in the network are configured through these WPAD entries, so a user that is getting the proxy configuration automatically could be redirected to a malicious proxy and the attacker will have access to all the traffic of the user. To perform this attack, the attacker could insert a WPAD entry in the DNS server when dynamic updates are enabled."

To fix this problem, Microsoft's patch adds a block list to its DNS server. The names on the list no longer resolve as domain names. This prevents an attack from registering a WPAD or ISATAP entry going forward.

But the patch does nothing to fix an entry registered before the patch was applied, a feature that Microsoft says is necessary to avoid negatively impacting legitimate users of these services. As a consequence, systems on which the MS09-008 vulnerability has already been exploited will remain infected after the patch.

"This is indeed not a scenario the security update, or any security update released by Microsoft, aims to address," explained Van Horenbeeck. "Security updates are intended to help protect the system against future exploitation, and don't aim to undo any attack that has taken place in the past. The update does not actively change the current configuration. When installing the update, it has no way of knowing whether the WPAD entry was configured by an administrator or an attacker."

To fix this, add "wpad" as one of the values in the GlobalQueryBlockList registry key and restart the DNS service, explained Corrons. This may not be the end of it, however, as compromised systems may have acquired additional malware.

Further details about MS09-008 can be found at the Microsoft Security Response Center blog.


InformationWeek has published an in-depth report on Windows 7. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.