[ISN] Why Did Microsoft Delay IE Patch?

From: InfoSec News (alerts@private)
Date: Wed Aug 23 2006 - 22:28:59 PDT


By Ryan Naraine 
August 23, 2006 

Microsoft has temporarily delayed the re-release of a critical
Internet Explorer browser patch because of problems with the way its
proprietary Systems Management Server handles cabinet (.cab) files,
according to sources familiar with the matter.

The Redmond, Wash., software giant markets SMS as a business tool for
simplifying patch management, but because of a bug in the way the SMS
architecture handles certain compressed files, the company temporarily
cancelled the patch release originally scheduled for Aug. 22.

Microsoft delays software updates typically because of quality
assurance concerns, but this is the first time the company has made it
known that a kink in its distribution mechanism is the cause for the
temporary cancellation of an important patch.

The decision is not sitting well with Internet security experts.

eEye Digital Security, the private research outfit that blew the lid
on the exploitable nature of the vulnerability after Microsoft
described it as a simple browser crash, says a flaw in SMS is no
reason to leave customers at risk of code execution attacks.

"[Microsoft is] delaying a security patch, not because there is a
problem with their patch, but a problem with their proprietary
distribution engine," said eEye Chief Executive Ross Brown, in Aliso
Viejo, Calif. "Auto Update works and a million other patching vendors
should be able to handle it, but because SMS is flawed, they are
leaving customers unsecured?"

In an entry posted to his personal blog, Brown bristled at Microsoft's
contention that eEye acted irresponsibly when it announced its
discovery that the browser crash could be used to plant malicious code
on fully patched Windows systems.

He offered a chronology of the events that led to the Aug. 22 decision
to delay the patch, arguing that Microsoft's own security advisory
"tells the bad guys exactly where the vulnerability is."

"So, to recap, Microsoft writes a patch that causes another flaw, then
delays releasing the patch (unless you call Microsoft support) and
then releases the information needed to identify the vulnerability in
their own advisory update," Brown said.

On the official MSRC (Microsoft Security Response Center) blog,
program manager Stephen Toulouse described the decision to delay the
IE patch as "difficult but necessary."

"Providing the update in its current state would have resulted in
customers being unable to deploy the update," Toulouse said. He did
not elaborate on this or confirm that the SMS issue was the cause for
the delay.

Toulouse said Microsoft made a decision to withhold the full security
implications of the browser crash because that would have been a
violation of its position on responsible disclosure and would have put
customers at increased risk.

"This was another difficult decision on our part. There was no intent
here to misrepresent the issue as not being exploitable. Oftentimes,
however, we find ourselves in the position of having to strike a
balance between providing information equally to users who would use
the information to protect themselves, and attackers who, history has
proven, will immediately use the information for criminal purposes,"  
Toulouse said.

However, eEye Chief Hacking Officer Marc Maiffret said Microsoft's
stance is hard to understand. "This information is already known in
research circles and also [to] exploit writers," Maiffret said in an
interview with eWEEK.

Indeed, according to security alerts aggregator Secunia, based in
Copenhagen, Denmark, at least two research outfits - eEye and Bold
Internet Solutions - reported the exploitable condition to Microsoft.

"If we are finding this, we have to assume the bad guys are looking
and finding it too," Maiffret said.

Microsoft's Toulouse confirmed that the company was working with
multiple researchers and said there was a disagreement on when to go
public with the information that the bug was much more serious than a
browser crash.

On the official IE blog, Microsoft Group Program Manager Tony Chor was
scathing in his criticism of eEye, accusing the company of
"irresponsibly" disclosing the severity of the flaw.

Neither Chor nor Toulouse could be reached to react to eEye's claim
that Microsoft's own advisory mentioned "long URLs" as the cause of
the crash, in effect pointing potential attackers in a certain
direction. In Chor's blog entry, he also mentioned that the
vulnerability exists through a crash in "urlmon.dll," which is much
more information than eEye and others released.

Chor said Microsoft will hold the developer responsible for the new
vulnerability introduced by the original IE patch. "Unfortunately, we
missed this issue, plain and simple. In parallel with making the right
fix, we have been working through how we prevent similar mistakes from
happening again. For instance, we have code-reviewed the past ten
months of code check-ins from the developer responsible for this
issue," Chor said.

He said the company was also "reconsidering" staffing and tools to
allow it to scale better during heavy load periods.

HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/

This archive was generated by hypermail 2.1.3 : Wed Aug 23 2006 - 22:38:57 PDT