Vulnerabilities / Threats
04:58 PM
Connect Directly

Microsoft Stands By Its Latest Patch

The company is defending against claims that its MS09-008 security fix doesn't work and that the vulnerabilities could be used to hijack network traffic.

To counter claims that its MS09-008 patch doesn't work, Microsoft on Friday explained the proper way to fix the vulnerabilities identified in its Windows DNS server and Windows WINS server software.

"There are claims that this update is ineffective," Maarten Van Horenbeeck, Microsoft's Security Research and Defense Center program manager, said in a blog post on Friday. "Let me be clear that this update will protect you and it should be deployed as soon as possible."

The vulnerabilities have to do with DNS spoofing vulnerabilities, with the Web Proxy Auto-Discovery, or WPAD, and with the Intra-Site Automatic Tunnel Addressing Protocol, or ISATAP. If exploited, these flaws could be used to hijack network traffic.

WPAD provides a way to automatically configure the proxy settings of computers on a network.

"This vulnerability could be used to launch 'man-in-the-middle' attacks on Windows DNS servers," explained Luis Corrons, director of PandaLabs, in a blog post. "The Web browsers of the PCs in the network are configured through these WPAD entries, so a user that is getting the proxy configuration automatically could be redirected to a malicious proxy and the attacker will have access to all the traffic of the user. To perform this attack, the attacker could insert a WPAD entry in the DNS server when dynamic updates are enabled."

To fix this problem, Microsoft's patch adds a block list to its DNS server. The names on the list no longer resolve as domain names. This prevents an attack from registering a WPAD or ISATAP entry going forward.

But the patch does nothing to fix an entry registered before the patch was applied, a feature that Microsoft says is necessary to avoid negatively impacting legitimate users of these services. As a consequence, systems on which the MS09-008 vulnerability has already been exploited will remain infected after the patch.

"This is indeed not a scenario the security update, or any security update released by Microsoft, aims to address," explained Van Horenbeeck. "Security updates are intended to help protect the system against future exploitation, and don't aim to undo any attack that has taken place in the past. The update does not actively change the current configuration. When installing the update, it has no way of knowing whether the WPAD entry was configured by an administrator or an attacker."

To fix this, add "wpad" as one of the values in the GlobalQueryBlockList registry key and restart the DNS service, explained Corrons. This may not be the end of it, however, as compromised systems may have acquired additional malware.

Further details about MS09-008 can be found at the Microsoft Security Response Center blog.

InformationWeek has published an in-depth report on Windows 7. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio