Microsoft patch process called into question

Microsoft Corp.'s Windows Update patch management program has a critical shortcoming that in some cases could fool users into thinking their systems are properly patched against some vulnerabilities when in fact they aren't.

That warning comes from Russ Cooper, moderator of the popular NTBugtraq mailing list and an analyst at Reston, Va.-based TruSecure Corp.

But Stephen Toulouse, a security program manager at Microsoft, strongly disagreed with Cooper's claim about Windows Update, calling it unfounded.

According to Cooper, the problem lies in the manner in which the Windows Update program verifies whether a system has a particular patch. Until last night at least, Windows Update relied only on the "registry key" information associated with each patch to determine whether a system had a specific patch. When a user goes to the Windows Update site, it first scans the user's system for such registry keys to determine which patches are installed on the system.

The problem is that a system may have the registry keys associated with a particular patch even though the patch itself hasn't been installed on the system. This can happen, for instance, if a machine crashes or is turned off during the patch installation process or because there are insufficient system resources to install it, according to Cooper.

In that case, Windows Update is fooled into thinking the system is patched because it sees the associated registry key information. Other patch management products look for patch-specific file information in addition to the registry key information, Cooper said.

Toulouse dismissed Cooper's claims and insisted that Windows Update has "for several months" been checking for file versions in addition to registry keys when scanning for patches.

Pointing to the patch for the latest Windows Remote Procedure Call vulnerability (MS03-026), which is used to fight the Blaster or Lovsan worm, Toulouse said, "There's been tens of millions of successful implementations of this patch, and we haven't heard of a situation where customers think they have installed the patch and then find out they haven't."

Toulouse also questioned the method Cooper used to demonstrate the problem, calling it a highly unlikely and "artificial scenario."

"It is entirely possible to try and make something fail. The question is, How realistic is the scenario?" Toulouse said.

By late Wednesday, Microsoft did, in fact, appear to be checking file information in addition to registry key information -- at least as far as the latest patch is concerned, Cooper said.

But the same isn't true for all patches, he said. While it is possible that Windows Update is looking for patch-related file information, it doesn't appear to use this information to verify the patch.

Cooper isn't alone in his concerns.

"I'm glad to see that Microsoft has added file version detection to MS03-026 -- albeit late (Wednesday) afternoon. However, there are many other serious security vulnerabilities that are addressed by other Microsoft patches that can be spoofed by simply writing a registry value," said a former member of the Microsoft security response team who is now working at a software patch management vendor, who requested anonymity.

According to the source, as of yesterday the patches that could be spoofed by using registry keys included the following: MS03-030, for a critical vulnerability related to a buffer overflow in DirectX; MS03-023, a patch for a critical buffer overflow HTML vulnerability; and MS03-001, another critical vulnerability related to a Microsoft Locator service.

"The only way to properly check for the status of security hot fixes is to scan for each file that ships in each hot fix and verify that these files are still present on the system. Registry keys cannot be relied upon as an indicator of patch status, as these keys may not accurately represent the present state of the machine," the source said.

Apart from lulling users into a false sense of security, there is a bigger problem, the source said.

"If Windows Update is relying solely on the presence of registry keys to determine if a patch has been installed, this process may be subject to exploitation from the next Internet worm. Imagine a Blaster- or Nimda-style worm that writes specific registry keys to each infected machine."

By spoofing registry keys, such worms could fool Windows Update into thinking that a user's system has been properly patched, he said.

On Wednesday, Vivek Kundra, director of infrastructure technologies for Arlington County, Va., said his group had problems using the Windows Update server technology to deploy the patches to fight the Blaster worm. The county began working to install recommended patches for the Windows RPC vulnerability last Thursday, before the recent outbreak began to spread.

Although the county began the process using Microsoft's Windows Update process, it had to abandon the approach because the patches didn't always deploy properly. It is now using a Novell Inc. resource management tool called ZENworks to distribute the patches, according to Kundra. The county is now eyeing the possibility of outsourcing its patch management process to a third party.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Show Comments



Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?