Microsoft Drops Ball on Patch Notification
- By Russ Cooper
- December 21, 2004
Microsoft released six new security patches in December, but only five official
Security Bulletins. For some strange reason a patch released on the
same day as the normal monthly patches -- for Windows XP SP2 only --
didn't rate a full Security Bulletin.
Instead, Microsoft Knowledge Base
article 886185, was quietly created and the patch
pushed via Windows Update alone.
This is precisely the sort of action that many people grumbled about
when Automatic Updates was turned on in XP SP2 back in August; the
fear that they would receive silent updates without explanation. I've
always felt that was a rather lame fear. Automatic Updates are intended
to do just that -- update without user knowledge or action. That said,
I didn't think it was going to lead to a reduction in the number of
Security Bulletins published by the Microsoft Security Response Center.
The e-mail notification service can be sent to pagers and other similar
devices, and is the expected channel for such notices.
If it's a security patch -- and this one definitely was -- Microsoft
should make sure there's a proper Security Bulletin published. That
it's for XP SP2 shouldn't change that equation.
For the KB article referenced above, some may argue that this really
isn't a bug in the Microsoft Firewall. Basically, the "My Network
(subnet)" scope is an option when choosing how rules will apply. It's
supposed to limit access to only hosts on your subnet, like computers
in your house. The problem is that some Internet Service Providers
(ISPs) provide ridiculous subnet specifications when dynamically
assigning you an IP address after connecting over dial-up via a modem.
They don't actually assign you a subnet, instead giving you 0.0.0.0 as
your subnet mask. That means that the entire Internet is on the same
subnet as you. It's easy to see how the "My Network (subnet)" scope
becomes useless when connecting to one of those ISPs.
Unfortunately, Microsoft uses that scope limitation by default for File
and Print Sharing. It's also referenced as the preferred choice in the
help documentation, and is also recommended by several large companies
that sell computers.
The other bulletins released Tuesday:
MS04-041. Word for Windows 6.0 Converter buffer overflow. This is a
rather boring buffer overflow which could lead to code of the
attacker's choice running in the context of the victim user. Look out
for .WRI (Windows Write) files you receive as attachments. If you don't
have Word, be careful with .DOC and .RTF files, too. Word and other
Microsoft Office products aren't affected.
MS04-042. This is a rather ugly vulnerability in the Dynamic Host
Configuration Protocol (DHCP) server on Windows NT 4.0 only. Someone
who can send malicious packets to a compromised DHCP server could cause
code to run in the context of the service, typically SYSTEM (which is
the most powerful context.)
MS04-043. Another buffer overflow, this time in HyperTerminal. For
this to work, you'd have to invoke an .HT file type, which is a
HyperTerminal saved session file. There's been chatter about this being
exploitable across the Internet, but you'd have to have associated
HyperTerminal with the Telnet protocol first for this to be possible
(and that isn't the default.) Remove HyperTerminal if you don't need
it; otherwise, remove the association with .HT files. See the bulletin
MS04-044. This combined two vulnerabilities, one in the Windows
kernel (the core of the OS) and the other in the Local Security
Authority Subsystem Service (LSASS), the same service attacked by the
Sasser worm. The difference this time is that neither of these can be
attacked remotely; someone would have to be logged into a current
session to be able to invoke an attack. That puts Terminal Servers at
the most risk.
MS04-045. A Windows Internet Naming Services (WINS) vulnerability.
This protocol is so old it has whiskers. I've discussed this one over
the last couple of weeks, since the vulnerability information was
announced. A buffer overflow could allow an attacker to remotely cause
code of his choice to run in the security context of the WINS service,
typically SYSTEM. Get rid of WINS and use LMHOSTS files if you must.
Other Hacking Developments
Gnutella, a formerly very popular peer-to-peer (P2P) file sharing
network protocol, saw a significant spike in traffic recently. Spikes
don't always indicate malicious traffic, but the use of P2P networks
for spreading malware has significantly increased this year, so spikes
are watched closely.
W32/Zafi.D@mm was released last week and spread significantly,
primarily in non-English speaking countries. Seems that many non-
English speaking countries have gotten used to malware coming in
English, or broken English, and since Zafi.D was distributed in many
languages it managed to make people think it was legitimate. That it
was a Christmas greeting with music didn't help any either.
Remember the rule: "Attachments are malware, regardless of what they
are." If someone really wants to send a Christmas greeting they should
phone -- or better still, visit with some real Christmas cheer. There
will likely be many hoaxes and viruses coming in the form of Christmas
New variants of Maslan were released, including versions that
attempted to perform a Distributed Denial of Service attack against
sites alleged to be supporting Chechen rebels. Hactivism? Nope, just
another piece of useless malware created by yet another demented mind.
The U.S. president will soon have the ability to shut down the Global
Positioning System (GPS) network in the event of a national emergency.
The idea that some terrorists may use GPS to direct an attack is
nothing new, but I seriously doubt whether full consideration has been
given to precisely how many systems need GPS. For example, numerous
Network Time Protocol servers rely upon the GPS network for their time,
so it's possible that a network using Kerberos might not be able to
retrieve network time in such an event. The side effects of bringing
down the GPS network may very well exceed the effects of not taking it
The "Open Security Exchange" was announced. It's a consortium of
vendors developing vendor-neutral specifications and guidelines for the
convergence of physical and electronic security. It's hard to say
whether this is a good idea or not. Certainly, defining "best
practices" for how the two forms of security should work hand-in-hand
is useful, but the idea that the two become one leads to concern about
single points of failure. Do we want perimeter gate cameras and guards
to stop working because someone in the office double-clicked on a
virus? We'll see how this develops.
Look for Health Insurance Portability Accountability Act of 1996
(HIPAA) compliance guidelines to be published by the end of the year by
The Healthcare Security Workgroup (HSW), which includes members from
the Workgroup for Electronic Data Interchange (WEDI) and the National
Institute of Standards and Technology (NIST). That leaves less than
four months to implement compliance, if you haven't already. It seems
that many smaller organizations have chosen to revert to pen and paper
rather than spending the money on compliance. I can't say I feel bad
The U.S. Supreme Court has agreed to hear a case which should
determine whether or not peer-to-peer network providers are responsible
for the content which traverses their networks. This will be a critical
ruling for many aspects of content distribution, so expect to hear all
sorts of arguments against making providers responsible. I'm very much
in favor of assigning more responsibility to those who facilitate
Russ Cooper is a Senior Information Security Analyst with
Cybertrust, Inc., www.cybertrust.com. He's also founder and editor of
NTBugtraq, www.ntbugtraq.com, one of the industry's most influential
mailing lists dedicated to Microsoft security. One of the world's most-
recognized security experts, he's often quoted by major media outlets
on security issues.
Russ Cooper's Security Watch column appears every Monday in the
Redmond magazine/ENT Security Watch e-mail newsletter. Click here to
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.