Windows Update flaw 'left PCs open' to MSBlast
Summary: A flaw in Windows Update caused some organisations - including the US Army - to wrongly believe they were protected from MSBlast, according to a researcher
A flaw in Windows Update -- Microsoft's online tool that lets customers update their operating system with patches and fixes -- enabled the MSBlast worm to infect computers that apeared to have already been patched, according to a security expert.
The flaw led to a US Army server, among others, falling victim to MSBlast, according to Russ Cooper, chief scientist at security company TruSecure.
Windows Update works by adding an entry into the system registry every time it installs a patch. When users log on to the update tool, it scans their registry and offers them list of patches that have not yet been installed. Cooper said that this mechanism was found to be flawed.
"We found that people had got the registry key for the patch, but not the file," he said, explaining that the error could be triggered by a number of reasons -- from an incomplete installation to a lack of system resources.
"If you go to Microsoft's site and say, 'tell me if I am up to date', and it says 'you are up to date', but you are not, what are you supposed to do?" he said.
In order to fix the problem, Windows Update should be looking for the actual fix rather than just a registry entry, Cooper argued. This feature is already included in the tool, but is not "fully enabled", Cooper said.
He recommends that users should run the Microsoft Baseline Security Analyzer (MBSA) as an alternative to Windows Update for checking to see if patches have been correctly installed. MBSA is also designed to look for security problems in the Windows registry and can be downloaded free from Microsoft's Web site.
Microsoft did not respond to requests for comment on the Windows Update issue.
Patching has been a thorn in Microsoft's side, with companies complaining that it takes far too long to implement patches because of the compatibility testing that is necessary before deploying them to thousands of servers and desktops. Additionally, the sheer volume of patches being generated by Microsoft means that companies are finding it difficult to keep up.
Stuart Okin, chief security officer at Microsoft UK, admitted that Microsoft customers spend too much time fixing their systems: "Our customers don't necessarily have the programmes, processes and environments in place to deal with dynamic changes," he said. He admitted that companies have had problems deploying the patch to thousands of workstations or servers "within the space of four weeks" -- approximately the time between when the vulnerability was discovered and the worm was released.
Last year, Microsoft launched its Trustworthy Computing Initiative, which included retraining its programmers to ensure their code was written with security in mind and involved an overhaul of its entire patching system.
Okin said that within two years, Microsoft will have made significant changes to its Windows Update service. The company is planning on introducing a single update source -- probably called Microsoft Update -- which will be capable of updating all of the Microsoft products installed on a computer.
Do you have a horror story related to the spread of the MSBlast worm? If so, add TalkBack below or write to the mailroom.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
I ran the program and it found several issues with this XP based PC. Guess what the solution was? Yep visit the Windows Update site. LOL
Anyway I visited the site and it doesn't see a problem and tells me that all available updates have been installed.
Thank goodness for my router and software firewall.
We found that the system would not boot any longer.Ity just went into a constant reboot cycle.
We have spent two days in recovery, hope to be back up completely today.
Just think of Linux, for example, which used to be just for technical people, but know you have lots of companies making desktop-ready distributions, and giving better support for them. Everyone is able to know and understand how linux and every crucial system that runs over it works (at the source-code level), so securing a Linux system (or a *BSD one) is really possible. At least, for the non-technical people, you have plenty of open-source applications available at a very low cost or free, such as office-applications and all kind of internet utilities.
With a system full of this kind of software, you are not exposed to things like Blaster, which are unnaceptable for a real OS.
PD : did you know that windowsupdate.com was running over linux for a while, before changing its domain name?[http://uptime.netcraft.com/up/graph?site=www.windowsupdate.com]
keeps me in business!
Users, like you and me, <b>must</b> take security in our own hands. On linux (Redhat) you run up2date. On M$ you go to a website and it downloads everything for you, you reboot a couple time, download somemore, then your "safe". Deal with it. You wear a condom don't you?
I am glad that my home computer is a MAC OSX system and not windows! I have enought trouble at work...where I get paid. M$ is job security!
I like the shirt that says...
Red Hat Linux for servers
Mac for productivity
Windows for solitaire
;)
I am glad that my home computer is a MAC OSX system and not windows! I have enought trouble at work...where I get paid. M$ is job security!
I like the shirt that says...
Red Hat Linux for servers
Mac for productivity
Windows for solitaire
;)
My poor mother was so angry, and she asked me why I never have such problems. I mentioned that I was running GNU/Linux. She was a bit worried that if she tried it she would have a lot of new things to learn, but she said that she would give it a shot.
I installed Mandrake for her, and to my suprize she has never looked back! This Blaster virus has caused chaos on all of the machines at my mums work, and she told me that she has great satisfaction from telling everyone that she wasn't affected.
The point is that Windows itself is fundamentally flawed because it does not inherently address the question of isolating damage. Even on a "home" computer I have a clear delineation between my user and administrative accounts. So if a virus or worm were to attack my Linux box it would be very unlikely to spread beyond that account and affect the whole OS. Even in Windows XP the "administrative" account is not protected by default- most users probably don't even realise the dangers of running, in Unix terms, as "Root".
In the future perhaps viruses for Linux or Mac might become more common, but it's doubtful whether they could ever wreak as much havoc as the Windows varieties...
Not to mention the built-in firewalling that most Linux distributions ship with "out of the box". Far from perfect - but in contrast, when XP was released it was shipped with "raw" ports... and Microsoft can't really build in a decent firewall without foregoing the "phone home" behaviour of their default installation.
I suspect that the vast majority of home users on Windows don't even run a firewall. They become repositories for Denial of Service " bots" without even knowing that they are being bad internet citizens. Yet most of the arguments about Windows versus Linux centre on usability issues and other trivial concerns.
Windows is broken. Only a complete redesign could fix it.
"Last year, Microsoft launched its Trustworthy Computing Initiative, which included retraining its programmers to ensure their code was written with security in mind and involved an overhaul of its entire
patching system."
... and how many times do we need to hear it before we realize MS is singing way out of tune ?
- - - - -
MS is simply not trustworthy!
ALSO I AND 1000 OF MY COLLEAGUES LIKE
OUTLOOK EXPRESS. IT IS EASIER TO USE, YOU CAN DRESS IT UP, MAKE IT BUSINESS LIKE AND IT ISN'T AS COLD AS MSN, AOL
AND HOTMAIL WHICH IS BOMBARDED WITH ADVERTISEMENT.
I AM BEGINNING TO WONDER ABOUT MICROSOFT.