On TechRepublic: Five super-secret features in Windows 7
BNET Business Network:
BNET
TechRepublic
ZDNet

August 14th, 2008

Where on earth are these Microsoft patches?

Posted by Ryan Naraine @ 3:38 pm

Categories: Uncategorized

Tags: Vulnerability, Patch Management, Microsoft Internet Explorer, Microsoft Corp., Microsoft Windows, Web Browsers, Operating Systems, Software, Internet, Ryan Naraine

Where on earth are these Microsoft patches?Lost in the shuffle of this month’s Patch Tuesday barrage is the fact that a critical vulnerability in the ever-present Windows Media Player (WMP) was not fixed “because of a last minute quality issue.”

Microsoft originally listed the WMP update in the advance notice for August but, when the patches dropped on Tuesday, it had slipped because of patch-quality concerns.

The explanation from Redmond:

  • Microsoft has heard from customers that the quality of updates is very important and, as part of the process at the Microsoft Security Response Center (MSRC), Microsoft tests these updates continuously until they are ready for distribution to customers through our regularly scheduled security bulletin release.

This effectively means that millions of Windows users — WMP ships with every version of the desktop operating system — are exposed to a critical, code execution vulnerability that will not be fixed for at least another month.

[ SEE: Microsoft issues Safari-to-IE blended threat warning ]

The missing WMP patch is just one of a several known — and very serious — vulnerabilities that have not yet been patched by Microsoft. A few off the top of my head:

  1. Internet Explorer –  Remember the Safari-to-IE blended threat from April?  This vulnerability was reported to Microsoft since 2006 and, despite issuing an advisory that embarrassed Apple into shipping a Safari fix, Microsoft has still not fixed the underlying code defect. Now, I’m hearing murmurings that this issue probably won’t be fixed until Windows 7.  Boo!
  2. Token Kidnapping — Four months after shipping a pre-patch advisory confirming the severity of Cesar Cerrudo’s token kidnapping (.pdf) bug, Microsoft’s fix is still not available.  This issue affects Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008.
  3. Ghosts in Browsers — It’s been more than three months since Manuel Cabellero (now a Microsoft employee) went to Blue Hat and gave the scary ghosts-in-the-browser talk.   Nate McFeters saw the carnage first hand and confirms that it affects “all browsers.”  Since then, Sirdarckcat published details on IE browser flaws that entends to both IE 7 and IE 8 beta.   Worse, they’re all still unpatched.
  4. Web Proxy Auto-Discovery — This man-in-the-middle WPAD issue, publicly discussed at Kiwicon last December, is another bug on Microsoft’s late list. An advisory with mitigations (Windows 2000, Windows XP, Windows Server 2003 and Windows Vista) is available but still no patch.  This issue also relates to all versions of Internet Explorer, including IE 7 for Windows Vista so it’s not insignificant.
  5. Print Table of Links (IE) - Aviv Raff’s discovery of a cross-zone issue affecting IE 7 and IE 8 beta is publicly known but, despite the availability of proof-of-concept code, there’s no fix yet from Microsoft.

If that list is not scary enough, take a peek at this upcoming advisories page maintained by TippingPoint’s Zero Day Initiative.  It lists a whopping 20 unpatched vulnerabilities that have been reported to Microsoft, some more than 200 days ago.

Where on earth are these Microsoft patches?

I asked ZDI’s David Endler about this list and he confirmed they were all “high-risk” issues that were reported to Microsoft on the dates listed but he declined to discuss the status of individual vulnerabilities.

Microsoft has done a great job of improving its security posture and its relationship with hackers/researchers but the inability to issue patches in a timely manner is still a major problem.

The disclosure time-line in this Core Security advisory (scroll to bottom) shows just how frustrating it is to get Microsoft to stick to a patch release schedule.  The two sides are discussing an IE vulnerability that was first reported in January 2008 but was delayed numerous times because of all kinds of (sometimes comical) hiccups.

The list above applies only to publicly known issues.  Can you imagine what’s out there that’s not yet public?

* Image via Todd Bishop, Seattle PI.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 76 Talkback(s)
And this surprises you?
It's commonplace for MS to have issues that are over a year old. Welcome to Microsoft. (Read the rest)
Posted by: todbran@... Posted on: 12/10/08 You are currently: a Guest | | Terms of Use
exploits exploits  gertruded | 08/14/08
What?  Joxean | 08/15/08
Yes. I am safe  gertruded | 08/15/08
Then follow your recommendation through.  ye | 08/15/08
Discredited argument is discredited  bmerc | 08/15/08
Had I said it was then you'd have a point.  ye | 08/15/08
Every time I make a point, you claim I have no point.  bmerc | 08/15/08
@bmerc: That's because you don't have one.  ye | 08/15/08
I've already explained my points in previous posts  bmerc | 08/15/08
re: Marketshare  Badgered | 08/15/08
Au Contraire...  bmerc | 08/15/08
bmerc  Badgered | 08/15/08
Well Windows does have the most malware written for it.  Intellihence | 08/17/08
Following recommendation  gertruded | 08/15/08
Which would mean you're no longer safe.  ye | 08/15/08
Sigh  Ryan NaraineZDNet Moderator | 08/15/08
thanks for that information  Ed Lin | 08/15/08
dude  levinson | 08/18/08
Perhaps not the best option  Rambo Tribble | 08/15/08
Better yet ...  DarrenR114 | 08/15/08
"critical, code execution vulnerability"  betelgeuse68 | 08/14/08
Other Impact of browser admin restrictions?  stillgolfing | 08/15/08
I can't download RemoveAdmin  cxnyc | 08/16/08
Remove admin tool is laughable  hasta la Vista, bah-bie | 08/18/08
Remove admin tool is laughable  betelgeuse68 | 08/19/08
Hack Windows Media DRM  voyager529 | 08/14/08
Concur  bmgoodman | 08/15/08
And, what would you say to ...  aureolin@... | 08/14/08
Are we STILL beating that dead horse  frgough | 08/15/08
As long as you keep making excuses for Apple  mdemuth | 08/15/08
For God's sake not this bone-headed argument again...  bmerc | 08/15/08
yeat another reason to keep the UAC enabled  qmlscycrajg | 08/15/08
Finally...  Almustafa | 08/15/08
And has been the case with the release of Windows NT 3.1  ye | 08/15/08
UAC existed in 1993?  bmerc | 08/15/08
I think he's referring to multiple users.  CobraA1 | 08/15/08
"become an administrator without having to log out..."  bmerc | 08/15/08
Actually, you could become administrator  alaniane@... | 08/26/08
Exactly. (nt)  ye | 08/15/08
Multiple Users is a Mac only application on System 9.  Intellihence | 08/17/08
Good question  CobraA1 | 08/15/08
UAC is not a security boundary  Ryan NaraineZDNet Moderator | 08/15/08
While UAC itself might not be a security boundry...  ye | 08/15/08
It is, nevertheless, very strong protection.  CobraA1 | 08/15/08
Sure it is, but...  Ryan NaraineZDNet Moderator | 08/15/08
Absolutely...  Sleeper Service | 08/16/08
UAC is a security boundary because based on access tokens  qmlscycrajg | 08/16/08
RE: Where on earth are these Microsoft patches?  Harry Hardin | 08/15/08
RE: Where on earth are these Microsoft patches?  missplaced | 08/15/08
RE: Where on earth are these Microsoft patches?  cnfrisch | 08/15/08
Wow, blame the customers for complaining. Bravo!  TripleII | 08/15/08
You are hilarious at most cnfrisch  Intellihence | 08/17/08
Did you ever hear about FIREWALL ?  Gradius2 | 08/15/08
Indeed  masonwheeler | 08/15/08
Most firewalls doesn't stop everything.  phatkat | 08/15/08
Basic Question.  joe.smetona@... | 08/15/08
IE error on update  mietz | 08/15/08
Worst patching process, ever.  CobraA1 | 08/15/08
So people say. But as soon as MS releases a buggy...  ye | 08/15/08
Who cares? Let them complain.  CobraA1 | 08/16/08
RE: Where on earth are these Microsoft patches?  Sirgwain | 08/15/08
Critical - to the monthly report.  joe.smetona@... | 08/15/08
RE: Where on earth are these Microsoft patches?  An Old Man | 08/15/08
Be civil grr  owen35ny | 08/15/08
Better report this to Ed Bott  jorjitop | 08/15/08
Aside from the ones...  Sleeper Service | 08/16/08
I know the meaning of "What a load of Bollox!"  An Old Man | 08/15/08
My Mac is vulnerable  mister-moon | 08/15/08
Whine whine whine  Crestview | 08/17/08
RE: Where on earth are these Microsoft patches?  atari8bit@... | 08/17/08
RE: Where on earth are these Microsoft patches?  levinson | 08/18/08
Now We Know...  oldbaritone | 08/19/08
More than a YEAR, not just "200" days  Gradius2 | 08/20/08
RE: Where on earth are these Microsoft patches?  d,duffer@... | 10/11/08
Personal attacks  cliffdunaway | 12/10/08
And this surprises you?  todbran@... | 12/10/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More