Network News

X My Profile
View More Activity

Microsoft Scrambling to Close Stubborn Security Hole

Microsoft may soon be taking the unusual step of issuing an out-of-band security update to address multiple weaknesses that stem from a Windows security flaw that the software giant tried to fix earlier this month, Security Fix has learned.

Last week, on its regularly scheduled Patch Tuesday (second Tuesday of the month), Redmond issued software updates to plug nine security holes. Among those was a patch for a flaw in Windows and Internet Explorer that hackers were exploiting to break into PCs. However, it soon became clear that Microsoft had known about this vulnerability since at least April 2008.

On July 9, noted security researcher Halvar Flake published a blog post suggesting that the reason Microsoft took so long to fix the bug may be because the flaw was caused by a far more systemic problem in Windows.

According to Flake, the problem resides in a collection of code that Microsoft uses in a number of places in Windows. This code "library" is also provided to third-party software makers to help them build programs that can leverage certain built-in features of Windows.

As a result, Flake concluded, Microsoft may have fixed only a subset of the problem on Windows with its patch this month.

"The bug is actually much 'deeper' than most people realize," Flake wrote. "MS might have accidentally introduced security vulnerabilities into third party products."

I reached out to Flake for additional information, but he told me that shortly after he published that blog post he received a 3 a.m. phone call from Microsoft asking him please not to comment further.

Microsoft has not officially responded to requests for comment about Flake's research. But a source within Microsoft said Redmond could issue an out-of-band update prior to next month's Patch Tuesday to address the outstanding flaws.

The decision over whether to do that or wait until next month's Patch Tuesday may hinge upon whether attackers begin exploiting these other vulnerable areas by using Microsoft's patch (and Flake's research) as a guide to locating the flaws. What's more, this bug is almost certain to be discussed at Black Hat and Defcon, the world's largest annual security conferences, being held next week in Las Vegas.

By Brian Krebs  |  July 22, 2009; 10:33 AM ET
Categories:  Latest Warnings  | Tags: 0day, halvar, microsoft, out-of-band  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Update for Norton Internet Security & Firefox 3.5
Next: Attackers Target New Adobe Flash/Reader Flaw

Comments

The implication that third party applications may have been rendered vulnerable by the last patch is intriguing. What exploits for what applications may come? There are protections from zero-day exploits/attacks:

http://www.blueridgenetworks.com/securitynowblog/endpoint_security/attack-exploit-internet-explorer-video-activex-windows-xp-antivirus-fails

http://www.blueridgenetworks.com/securitynowblog/endpoint_security/mozilla-firefox-zero-day-exploit-attack-july-2009-protect-antivirus

Posted by: eiverson1 | July 22, 2009 12:05 PM | Report abuse

It just occurred to me that Brian's article on Monday about banks not covering businesses losses due to malware-caused fraudulent bank transfers attaches greater perspective to the watch-and-wait for 'what exploits may come' before and shortly after these expected out-of-cycle Microsoft patches. BTW, I just crafted a post on business protections from such outcomes:

http://www.blueridgenetworks.com/securitynowblog/endpoint_security/antivirus-failure-costs-businesses-fraudulent-bank-transfers-fdic-regulation-e

Posted by: eiverson1 | July 22, 2009 12:09 PM | Report abuse

It isn't as simple as Microsoft issuing a security fix. In many cases, libraries are dynamically linked and thus when the system is updated all applications using that library are protected by the fix. However, static linking occurs when the application is built and does not change. Thus may have many 3rd party apps out there that need to coordinate a fix.

Microsoft's current fix appears to only be a killbit on various ActiveX controls -- meaning that the bug isn't directly addressed. Only a subset of possible paths to the bug have been protected. Included in the other paths, according to Halvar's entry is Flash. I'm assuming that's why MS is so nervous. Disabling Flash would be very problematic, but almost every web browser has Flash installed -- and may be vulnerable.

Posted by: mwollenweber | July 22, 2009 3:13 PM | Report abuse

Let's hope that Microsoft moves a little less sluggishly than usual to patch this flaw in depth - it doesn't sound at all nice. Good thing there exist more reliable alternatives to Windows OSs !...

Henri

Posted by: mhenriday | July 22, 2009 6:11 PM | Report abuse

I don't understand it! Everything went perfectly well at the dog 7 pony shows. Lets face it friends. There is no such thing as 100% total traffic flow security, and there will never. Good Luck
JMA Tampa

Posted by: tropedoabad | July 23, 2009 10:20 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company