A flaw in Windows Update -- Microsoft's online tool that lets customers update their operating system with patches and fixes -- enabled the MSBlast worm to infect computers that apeared to have already been patched, according to a security expert.
The flaw led to a US Army server, among others, falling victim to MSBlast, according to Russ Cooper, chief scientist at security company TruSecure.
Windows Update works by adding an entry into the system registry every time it installs a patch. When users log on to the update tool, it scans their registry and offers them list of patches that have not yet been installed. Cooper said that this mechanism was found to be flawed.
"We found that people had got the registry key for the patch, but not the file," he said, explaining that the error could be triggered by a number of reasons -- from an incomplete installation to a lack of system resources.
"If you go to Microsoft's site and say, 'tell me if I am up to date', and it says 'you are up to date', but you are not, what are you supposed to do?" he said.
In order to fix the problem, Windows Update should be looking for the actual fix rather than just a registry entry, Cooper argued. This feature is already included in the tool, but is not "fully enabled", Cooper said.
He recommends that users should run the Microsoft Baseline Security Analyzer (MBSA) as an alternative to Windows Update for checking to see if patches have been correctly installed. MBSA is also designed to look for security problems in the Windows registry and can be downloaded free from Microsoft's Web site.
Microsoft did not respond to requests for comment on the Windows Update issue.
Patching has been a thorn in Microsoft's side, with companies complaining that it takes far too long to implement patches because of the compatibility testing that is necessary before deploying them to thousands of servers and desktops. Additionally, the sheer volume of patches being generated by Microsoft means that companies are finding it difficult to keep up.
Stuart Okin, chief security officer at Microsoft UK, admitted that Microsoft customers spend too much time fixing their systems: "Our customers don't necessarily have the programmes, processes and environments in place to deal with dynamic changes," he said. He admitted that companies have had problems deploying the patch to thousands of workstations or servers "within the space of four weeks" -- approximately the time between when the vulnerability was discovered and the worm was released.
Last year, Microsoft launched its Trustworthy Computing Initiative, which included retraining its programmers to ensure their code was written with security in mind and involved an overhaul of its entire patching system.
Okin said that within two years, Microsoft will have made significant changes to its Windows Update service. The company is planning on introducing a single update source -- probably called Microsoft Update -- which will be capable of updating all of the Microsoft products installed on a computer.
Do you have a horror story related to the spread of the MSBlast worm? If so, add TalkBack below or write to the mailroom.
Talkback
Well, I've been trying to download the Windows 2000 version of the fix from the Microsoft download centre, however it just times out - I guess so many folk are trying to get their hands on it that the server can't cope?
this was very useful. i am new to all this and didnt know much and learnt alot because i am one of those who was infected with the blaster, but tell me how often should i download patches to protect my computer from any other unexpected attacks?
The solution offered to correct this alleged flaw points to another MS product.
I ran the program and it found several issues with this XP based PC. Guess what the solution was? Yep visit the Windows Update site. LOL
Anyway I visited the site and it doesn't see a problem and tells me that all available updates have been installed.
Thank goodness for my router and software firewall.
We downloaded the ptch and installed on our 2000nt system. We got a ,essage back that the patch was not completely installed and we might have to restore our system with the System Recovery Disk.
We found that the system would not boot any longer.Ity just went into a constant reboot cycle.
We have spent two days in recovery, hope to be back up completely today.
I think it's time to consider using alternatives OSes. Unfortunately, when people think of computers, windows is the first that comes to their minds... and thousands of viruses, vulnerabilities of all kind and abuses from its creator, too.
Just think of Linux, for example, which used to be just for technical people, but know you have lots of companies making desktop-ready distributions, and giving better support for them. Everyone is able to know and understand how linux and every crucial system that runs over it works (at the source-code level), so securing a Linux system (or a *BSD one) is really possible. At least, for the non-technical people, you have plenty of open-source applications available at a very low cost or free, such as office-applications and all kind of internet utilities.
With a system full of this kind of software, you are not exposed to things like Blaster, which are unnaceptable for a real OS.
PD : did you know that windowsupdate.com was running over linux for a while, before changing its domain name?[http://uptime.netcraft.com/up/graph?site=www.windowsupdate.com]
FYI : MBSA does not support Windows 98.
Good article, but what about when running Windows ME? The failed updating situation you describe appears to have happened to me when using the Windows Update service in early August. The service says all critical updates have been peformed and nothing needs doing (and nothing can be redone), yet the service's own update scan report notes installation failures. The machine (a Sony Vaio Z505 laptop) is now hanging more often, the compressed folders feature has completely flaked out, and it's a mystery whether the "critical protections" were properly installed. MBSA sounds likes a good solution, but it doesn't run on WinME.
ha ha HA ha ha ha HA HA HA ha aha aha ahem
keeps me in business!
<i>"the sheer volume of patches being generated by Microsoft means that companies are finding it difficult to keep up."<i><p>Ok, even thought I use Linux and therfore imune to these viruses, Redhat sends me e-mail every few day informing me of updates. There are probably just as many, if not more, patches for Linux than M$. However, most security patches are difficult to explote and will not give complete control over to an unauthorized party.<p>
Users, like you and me, <b>must</b> take security in our own hands. On linux (Redhat) you run up2date. On M$ you go to a website and it downloads everything for you, you reboot a couple time, download somemore, then your "safe". Deal with it. You wear a condom don't you?
I'm curious of the amount of bandwidth that is wasted by cumulative effect of Microsoft's missteps when it comes to software security. Anyone who runs an Apache server can see in their logs the still lingering effects of such beauties as Code Red. While harder to quantify, you can rest assured that this latest bungle is adding to the bandwidth massacre MS is responsible for. Since Microsoft is so keen on stopping spam perhaps they could get some good traction by paying attention to the products they proliferate. I'd guess that Microsoft exploits waste close to the same amount of bandwidths as does spam email!
I have been busy working on patching many pc systems at work. Long hours for the past few days. Many systems stil aren't patched! Hope they don't get infected over the weekend.
I am glad that my home computer is a MAC OSX system and not windows! I have enought trouble at work...where I get paid. M$ is job security!
I like the shirt that says...
Red Hat Linux for servers
Mac for productivity
Windows for solitaire
;)
I have been busy working on patching many pc systems at work. Long hours for the past few days. Many systems stil aren't patched! Hope they don't get infected over the weekend.
I am glad that my home computer is a MAC OSX system and not windows! I have enought trouble at work...where I get paid. M$ is job security!
I like the shirt that says...
Red Hat Linux for servers
Mac for productivity
Windows for solitaire
;)
My mum was having difficulty a few months ago with her Windows machine crashing and her e-mail somehow becoming deleted. When I went around to have a look at it, I decided that the symptoms were that of a virus. $120AU dollars later, we had an anti-virus program installed and removed a bugbear virus.
My poor mother was so angry, and she asked me why I never have such problems. I mentioned that I was running GNU/Linux. She was a bit worried that if she tried it she would have a lot of new things to learn, but she said that she would give it a shot.
I installed Mandrake for her, and to my suprize she has never looked back! This Blaster virus has caused chaos on all of the machines at my mums work, and she told me that she has great satisfaction from telling everyone that she wasn't affected.
Tired of this msblast crap? Buy a Mac! (or get linux in your pc)
It IS tempting to simply put on a smug smile and say "I run Linux".....as I do: - but there is an issue here beyond the fact that lots of people in the know are taking that path.
The point is that Windows itself is fundamentally flawed because it does not inherently address the question of isolating damage. Even on a "home" computer I have a clear delineation between my user and administrative accounts. So if a virus or worm were to attack my Linux box it would be very unlikely to spread beyond that account and affect the whole OS. Even in Windows XP the "administrative" account is not protected by default- most users probably don't even realise the dangers of running, in Unix terms, as "Root".
In the future perhaps viruses for Linux or Mac might become more common, but it's doubtful whether they could ever wreak as much havoc as the Windows varieties...
Not to mention the built-in firewalling that most Linux distributions ship with "out of the box". Far from perfect - but in contrast, when XP was released it was shipped with "raw" ports... and Microsoft can't really build in a decent firewall without foregoing the "phone home" behaviour of their default installation.
I suspect that the vast majority of home users on Windows don't even run a firewall. They become repositories for Denial of Service " bots" without even knowing that they are being bad internet citizens. Yet most of the arguments about Windows versus Linux centre on usability issues and other trivial concerns.
Windows is broken. Only a complete redesign could fix it.
MSBLAST? God, I wish I'd stuck with my Mac !
Blame the virus-writer not the OS! If more people had Linux or Mac then virus-eriters would be more tempted to write for them. Virus writers want notoriety amongst their peers and they gat that by causing maximum chaos and publicity. That's why Linux and Mac users are left mostly alone - there are not enough of them.
Microsoft announced this vulnerability around 1 month ago, and I upgraded my operating systems, also i forward this information to my friends, but Microsoft did not make a public announce? If they was able to see such a problem then what was their target not to warn people about this wom? Maybe they want to show that 2000 systems are no secure anymore and they want people to swtich 2003..
How many times do we have to hear MS sing this song?:
"Last year, Microsoft launched its Trustworthy Computing Initiative, which included retraining its programmers to ensure their code was written with security in mind and involved an overhaul of its entire
patching system."
... and how many times do we need to hear it before we realize MS is singing way out of tune ?
- - - - -
MS is simply not trustworthy!
THERE MUST BE A LOT OF CONFUSION GOING ON OUT THERE IN THE CYBER WORLD. POWER STRUGGLES, FLAWS IN SOFTWARE. DIFFICULTY IN UPGRADING FROM ONE WINDOWS PROGRAM TO ANOTHER. LIKE CEASAR NOT ALLOWING ANYTHING BUT ROMANS ON THE LINE.
ALSO I AND 1000 OF MY COLLEAGUES LIKE
OUTLOOK EXPRESS. IT IS EASIER TO USE, YOU CAN DRESS IT UP, MAKE IT BUSINESS LIKE AND IT ISN'T AS COLD AS MSN, AOL
AND HOTMAIL WHICH IS BOMBARDED WITH ADVERTISEMENT.
I AM BEGINNING TO WONDER ABOUT MICROSOFT.
"Billy Gates. Stop making money and fix your software!". Didn't Microsoft listen to this warning?
Well, today I received an email with the subject "wicked screensaver" and an attachment called "application.pif".
I saved the attachment in /tmp and run an antivirus at it.
Guess what: Sobig.
Guess again: I don't care: I run Debian GNU/Linux 3.0.
I agree with Nick Lansley. All I here from people running Linux is that 'the world would be a better place if we all changed and used Linux'. No, it wouldnt!
If we all changed virus writers and hackers would then focus on the new mainstream OS and crucially even worse than Windows, they can access the sourcecode, which as a programmer I know makes the job of finding a flaw that bit simpler.
The answer to these problems is not to move around them but to fight against them.
And as a final note for all Linux users who think they cant get a virus, visit Symantec's website and search for viruses and flaws found.