Digg this story   Add to del.icio.us  
One Patch to Rule Them All
Tim Mullen, 2002-09-30

A recent XP security hole begs the question, do we really want Microsoft to release individual fixes for every bug?

On August 15th, Shane Hird published the details of a potentially serious issue with the Windows XP Help and Support Center where the contents of a known directory could be deleted if an attacker tricked someone into executing a maliciously formatted URL. At the time, there was no published patch, and no official work-around.

For the most part, it went widely unnoticed. Well, that may be a generalization -- I failed to notice it, as did all of the security people I know, but that doesn't mean the bad guys didn't tuck the information away into their cache of "crappy things to do to people when you're a script kiddie."

Granted, it wasn't a huge bug, but it did allow for one to trivially delete files from a victim's box (under the right circumstances). And since we are talking about an exploit primarily against the end user -- the home user -- we could hardly expect that the potential targets would be employing "best practices" security that would mitigate their exposure. Honestly, we can't expect them to even know what the best practices are in the first place.

Two weeks later, the issue went mainstream with a live demonstration of the exploit on Tech TV's "Screen Savers" program. At the same time, Microsoft produced a patch, but they managed to pull it off without ever acknowledging the bug. They simply buried the fix in the newly-released XP Service Pack 1 (SP1) update -- a 50 megabyte monster download that contained fixes for any number of bugs.

The flood of mainstream attention to the Help Center bug came at the worst time for the user. The XP SP1 release was so new that it was mostly unavailable due to traffic saturation on Microsoft's servers. And its massive size made it a problematic download for slow-link users.

It was an awkward time for Microsoft. Here they had an issue that was (at that point) fixed in a newly released service pack, but many people couldn't, or wouldn't, install it.

As the issue got more and more publicity. Microsoft came under increased fire for not supporting users with an immediate and easy-to-apply patch aimed specifically at the Help Center bug. To fill this gap, GRC's Steve Gibson wrote a small application that replaced the HTM file where the bug lived with the one updated in SP1. The fact that it was downloaded over a 100,000 times in a few days highlighted the end-user's interest in such a fix.

New Paradigm
What we didn't know then, was that there were other core issues with HCP that could be leveraged in far more serious ways than just deleting someone's files -- which is why Microsoft did not officially condone Gibson's work-around, or release it themselves. Even with the quick fix, the service pack was (and still is) a required update.

But the demand for an a la carte Help Desk fix was obvious. And this week, according to my sources at Microsoft, the company is going to accede to that demand and do something it has never done before. It will back-port a specific fix for all the Help and Support Center issues into a stand-alone patch, even though the code has been fixed in an already-published service pack.

We stomped our feet and yelled for something better; Microsoft listened, and produced.

But what have we really done? Have we ultimately demanded that Microsoft allow us to be less secure? By asking them to address a tiny subset of security issues where many more exist and to let us pick and choose which ones we think we need, we may have done just that.

The fact is, the best way to provide ultimate update levels for the client is with a complete service pack. It isn't a perfect system, but the service pack paradigm is the best we've got.

Is it right for us to ask Microsoft to cater to our perceptions when they know that reality is different? When other issues that are fixed in a service pack get published, will we demand that they also be back-ported into stand alone fixes? Where will it stop? Will there be some back-port time limit? And what will such a system do to our already difficult-to-manage enterprise patch management system?

This new Service Pack paradigm we asked for might suit our immediate wants, but I am concerned about how it will play out in the future. When the things we thought we wanted do not turn out to be the things we really needed, I wonder who we will blame.

There is an old saying that says "the customer is always right." But sometimes I wonder.


SecurityFocus columnist Timothy M. Mullen is Vice President of Consulting Services for NGSSoftware.
    Digg this story   Add to del.icio.us  
Comments Mode:
One Patch to Rule Them All 2002-09-30
Anonymous (1 replies)
One Patch to Rule Them All 2002-10-08
Anonymous
Security patchs are diffrent 2002-09-30
Anonymous
One Patch to Rule Them All 2002-10-01
Anonymous (1 replies)
One Patch to Rule Them All 2002-10-02
Anonymous
One Patch to Rule Them All 2002-10-01
Anonymous
One Patch to Rule Them All 2002-10-01
Anonymous
RE: One Patch to Rule Them All 2002-10-01
Piroufreek
One Patch to Rule Them All 2002-10-01
Anonymous (1 replies)
One Patch to Rule Them All 2002-10-04
Anonymous
One Patch to Rule Them All 2002-10-01
Anonymous
One Patch to Rule Them All 2002-10-01
Todd Knarr
One Patch to Rule Them All 2002-10-02
security@NOdsia.SPAM.com
One Patch to Rule Them All 2002-10-03
Darkphyber
One Patch to Rule Them All 2002-10-03
iDENTiTY
One Patch to Rule Them All 2002-10-04
Anonymous
He should have called this article "Flame Bait"... 2002-10-09
Anonymouse (1 replies)
"Flame Bait" 2002-10-09
Anonymous


 

Privacy Statement
Copyright 2010, SecurityFocus