[ISN] Microsoft's Patching Conundrum

From: InfoSec News (isn@private)
Date: Fri Dec 12 2003 - 01:29:56 PST

  • Next message: InfoSec News: "[ISN] Secunia Weekly Summary - Issue: 2003-50"

    http://www.atnewyork.com/news/article.php/3288141
    
    December 11, 2003
    By Ryan Naraine
    
    On the heels of an announcement from Microsoft (Quote, Chart) that it 
    won't be issuing December security patches under the new monthly 
    release cycle, a security researcher has gone public with a new 
    Internet Explorer vulnerability that could be used by 'phishers' to 
    perpetuate on line fraud.
    
    The latest IE flaw carries a 'moderately critical' rating and is the 
    second major vulnerability in the world's most popular Web browser 
    that remains unpatched.
    
    Late last month, Chinese researcher Liu Die Yu warned of five serious 
    IE vulnerabilities that could be exploited to take over a vulnerable 
    system. Yu's warning was released on several public mailing lists and 
    carried a 'critical' warning that the flaws could lead to system 
    access, exposure of sensitive information, cross site scripting and 
    security bypass.
    
    The public release of proof-of-concept exploits before fixes are 
    issued underscores the nightmares the software giant face in its 
    all-out effort to improve its patch management process. A company 
    spokesman told internetnews.com the internal investigations were 
    ongoing regarding both IE flaw alerts and promised a patch would be 
    issued at the appropriate time.
    
    Publicly, Microsoft isn't saying why it decided against releasing 
    patches. On the TechNet repository, the company said simply that if 
    the need arises for emergency patches, they will be issued outside the 
    monthly releases.
    
    A company official told internetnews.com security fixes were in 
    development but problems during the testing phase pushed back the 
    release date. The source could not say if a cumulative patch for 
    Internet Explorer was part of the tests and left the door open to an 
    emergency release of an IE patch before the second Tuesday in January, 
    the next scheduled release date.
    
    As Microsoft struggle to cope with the patch management headache, 
    researchers say the latest IE flaw was detected in the way the browser 
    displays URLs in the address bar. A test exploit [1] using the 
    microsoft.com domain was made public, showing that a specially crafted 
    URL can be used by an attacker to spoof a Web address.
    
    The spoofing technique is regularly used by scammers to trick 
    unsuspecting surfers into give up sensitive information, including 
    credit card and social security numbers.
    
    The URL spoofing flaw, which affects IE version 6.0, lets an attacker 
    hide the real location of a Web page by including a special character 
    and the "@" sign. "Successful exploitation allows a malicious person 
    to display an arbitrary FQDN (Fully Qualified Domain Name) in the 
    address bar, which is different from the actual location of the page," 
    according to the alert.
    
    Separately, Jupiter Research analyst Joe Wilcox disclosed that a 
    glitch in Microsoft's Windows Update detection process accounted for 
    the issuance of the patch for the November FrontPage Server Extensions 
    security vulnerability.
    
    Writing on the Microsoft Monitor Weblog, Wilcox said changed in 
    Windows Update resulted in the patch being issued for systems that did 
    not need it. "Unfortunately, I let Windows Update apply the patch to 
    three of my computers. Now, the question is what problems, if any, 
    that might cause for any computers to which the patch was applied," he 
    said.
    
    He said the Windows Update glitch was another black eye against the 
    Redmond, Wash.-based company. "[T]he larger problem is trust and 
    execution. If the company truly plans to make the Windows Update 
    process better and, presumably, more automatic, the dispatched patches 
    must always be the right ones. Consumers and smaller businesses would 
    need to be able to trust that the process will always be flawless. A 
    wrong patch could create big problems if put on the wrong version of 
    Windows or application. Larger businesses would want to test patches 
    anyway," Wilcox argued.
    
    * Editor's Note: internetnews.com and Jupiter Research shares the same 
    parent company.
    
    [1] http://www.zapthedingbat.com/security/ex01/vun1.htm
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Dec 12 2003 - 03:54:29 PST