Microsoft's Patching Conundrum

[InfoSec News <isn () c4i org>]

http://www.atnewyork.com/news/article.php/3288141

December 11, 2003
By Ryan Naraine

On the heels of an announcement from Microsoft (Quote, Chart) that it 
won't be issuing December security patches under the new monthly 
release cycle, a security researcher has gone public with a new 
Internet Explorer vulnerability that could be used by 'phishers' to 
perpetuate on line fraud.

The latest IE flaw carries a 'moderately critical' rating and is the 
second major vulnerability in the world's most popular Web browser 
that remains unpatched.

Late last month, Chinese researcher Liu Die Yu warned of five serious 
IE vulnerabilities that could be exploited to take over a vulnerable 
system. Yu's warning was released on several public mailing lists and 
carried a 'critical' warning that the flaws could lead to system 
access, exposure of sensitive information, cross site scripting and 
security bypass.

The public release of proof-of-concept exploits before fixes are 
issued underscores the nightmares the software giant face in its 
all-out effort to improve its patch management process. A company 
spokesman told internetnews.com the internal investigations were 
ongoing regarding both IE flaw alerts and promised a patch would be 
issued at the appropriate time.

Publicly, Microsoft isn't saying why it decided against releasing 
patches. On the TechNet repository, the company said simply that if 
the need arises for emergency patches, they will be issued outside the 
monthly releases.

A company official told internetnews.com security fixes were in 
development but problems during the testing phase pushed back the 
release date. The source could not say if a cumulative patch for 
Internet Explorer was part of the tests and left the door open to an 
emergency release of an IE patch before the second Tuesday in January, 
the next scheduled release date.

As Microsoft struggle to cope with the patch management headache, 
researchers say the latest IE flaw was detected in the way the browser 
displays URLs in the address bar. A test exploit [1] using the 
microsoft.com domain was made public, showing that a specially crafted 
URL can be used by an attacker to spoof a Web address.

The spoofing technique is regularly used by scammers to trick 
unsuspecting surfers into give up sensitive information, including 
credit card and social security numbers.

The URL spoofing flaw, which affects IE version 6.0, lets an attacker 
hide the real location of a Web page by including a special character 
and the "@" sign. "Successful exploitation allows a malicious person 
to display an arbitrary FQDN (Fully Qualified Domain Name) in the 
address bar, which is different from the actual location of the page," 
according to the alert.

Separately, Jupiter Research analyst Joe Wilcox disclosed that a 
glitch in Microsoft's Windows Update detection process accounted for 
the issuance of the patch for the November FrontPage Server Extensions 
security vulnerability.

Writing on the Microsoft Monitor Weblog, Wilcox said changed in 
Windows Update resulted in the patch being issued for systems that did 
not need it. "Unfortunately, I let Windows Update apply the patch to 
three of my computers. Now, the question is what problems, if any, 
that might cause for any computers to which the patch was applied," he 
said.

He said the Windows Update glitch was another black eye against the 
Redmond, Wash.-based company. "[T]he larger problem is trust and 
execution. If the company truly plans to make the Windows Update 
process better and, presumably, more automatic, the dispatched patches 
must always be the right ones. Consumers and smaller businesses would 
need to be able to trust that the process will always be flawless. A 
wrong patch could create big problems if put on the wrong version of 
Windows or application. Larger businesses would want to test patches 
anyway," Wilcox argued.

* Editor's Note: internetnews.com and Jupiter Research shares the same 
parent company.

[1] http://www.zapthedingbat.com/security/ex01/vun1.htm



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.