Information Assurance

Ian Block



front | classes | research | personal | contact

 

Information Assurance

Bugtraq Analysis

RISKS Analysis

Media Analysis - SOURCE NAME

THIS IS THE NAME OF THE TOPIC

back to bugtraq analyses page

Microsoft’s Silent Patches

4/24/06

 

·         What is the problem?

Microsoft issues silent patches that are embedded with its routine patches.

 

·         What could possibly go wrong?

o       IT administrators cannot know the true importance of a patch if they are not aware of all of the fixes contained within. As such, they may not install it as quickly as the actual threat may warrant, which could leave systems susceptible to attack.

o       Trend Micro (a software firm that creates virus checking software for servers) has recently become aware of a vulnerability related to the Microsoft Foundation Classes (MFC) static libraries used by Trend Micro products to create Internet Server Application Programming Interface (ISAPI) programs for IIS user interfaces. Microsoft silently fixed the vulnerability without notifying anyone. As such, the vulnerability remained in Trend Micro’s software, putting its customers at risk of a heap overflow vulnerability that could be used in code execution attacks.

 

·         What could have prevented the problem?

Microsoft could be transparent with the contents of its    patches.

 

·         What can be done to work around it?

o       Users could avoid relying upon Windows systems

o       Patches could be reverse engineered by consumers (impractical).

 

·         What can be done to prevent the problem from occurring in the future?

o       Microsoft can be upfront with the contents of its patches.

o       Consumers could create a consortium to collectively invest resources that could be used to reverse engineer Microsoft patches, so that all consumers could know precisely what they actually contain

o       Microsoft could make its code and patch process subject to ultimate transparency by making its code public and its flaw correction regime open source (would never ever happen).

 

 

Article found on Slash Dot as coming from eWeek article “Microsoft Patches: When Silence Isn’t Golden” (http://www.eweek.com/article2/0,1895,1951186,00.asp