Windows Update flaw 'left PCs open' to MSBlast

A flaw in Windows Update -- Microsoft's online tool that lets customers update their operating system with patches and fixes -- enabled the MSBlast worm to infect computers that apeared to have already been patched, according to a security expert.

The flaw led to a US Army server, among others, falling victim to MSBlast, according to Russ Cooper, chief scientist at security company TruSecure.

Windows Update works by adding an entry into the system registry every time it installs a patch. When users log on to the update tool, it scans their registry and offers them list of patches that have not yet been installed. Cooper said that this mechanism was found to be flawed.

"We found that people had got the registry key for the patch, but not the file," he said, explaining that the error could be triggered by a number of reasons -- from an incomplete installation to a lack of system resources.

"If you go to Microsoft's site and say, 'tell me if I am up to date', and it says 'you are up to date', but you are not, what are you supposed to do?" he said.

In order to fix the problem, Windows Update should be looking for the actual fix rather than just a registry entry, Cooper argued. This feature is already included in the tool, but is not "fully enabled", Cooper said.

He recommends that users should run the Microsoft Baseline Security Analyzer (MBSA) as an alternative to Windows Update for checking to see if patches have been correctly installed. MBSA is also designed to look for security problems in the Windows registry and can be downloaded free from Microsoft's Web site.

Microsoft did not respond to requests for comment on the Windows Update issue.

Patching has been a thorn in Microsoft's side, with companies complaining that it takes far too long to implement patches because of the compatibility testing that is necessary before deploying them to thousands of servers and desktops. Additionally, the sheer volume of patches being generated by Microsoft means that companies are finding it difficult to keep up.

Stuart Okin, chief security officer at Microsoft UK, admitted that Microsoft customers spend too much time fixing their systems: "Our customers don't necessarily have the programmes, processes and environments in place to deal with dynamic changes," he said. He admitted that companies have had problems deploying the patch to thousands of workstations or servers "within the space of four weeks" -- approximately the time between when the vulnerability was discovered and the worm was released.

Last year, Microsoft launched its Trustworthy Computing Initiative, which included retraining its programmers to ensure their code was written with security in mind and involved an overhaul of its entire patching system.

Okin said that within two years, Microsoft will have made significant changes to its Windows Update service. The company is planning on introducing a single update source -- probably called Microsoft Update -- which will be capable of updating all of the Microsoft products installed on a computer.

Do you have a horror story related to the spread of the MSBlast worm? If so, add TalkBack below or write to the mailroom.