Microsoft has offered an explanation as to why it took the company seven years to issue a patch for a known vulnerability.
The flaw, which lies in the Microsoft Server Message Block (SMB) protocol, was addressed on Tuesday in Microsoft security bulletin MS08-068. The flaw could enable an SMB Relay attack, which would allow an attacker to install programs; view, change or delete data; or create new accounts with full user rights.
Christopher Budd, a security programme manager in the Microsoft Security Response Center, said in a blog post on Thursday that, while Microsoft had been aware of the vulnerability, fixing it would have broken customer network applications.
"When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications," wrote Budd. "And, to be clear, the impact would have been to render many (or nearly all) customers' network-based applications then inoperable."
Budd explained that, while Microsoft in 2001 advised customers to use SMB signing, it knew then that the mitigation might not be a usuable solution for some.
"We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but the reality was that there were similar constraints that made it unfeasible for customers to implement SMB signing," wrote Budd.
The vulnerability was first publicly documented by a security researcher known as 'Sir Dystic' during the @tlanta.con convention in 2001, according to the Metasploit blog. Metasploit also included an SMB Relay module in its attack tool earlier this year.
Metasploit said in the blog post on Tuesday that yesterday's SMB patch from Microsoft was only partially effective.
"The MS08-068 patch addresses this attack only in the case where the attacker connects back to the victim," wrote 'HD'. "The patch does NOT address the case where the attacker relays the connection to a third-party host that the victim has access to."
Microsoft was not able to give immediate comment at the time of writing.
Talkback
Managing vulnerablities is multi-faceted. It is not just about patching, but it is about identifying and managing risk in a timely and cost-effective manner.
To be effetive, there are a number of phases to vulnerability management.
Phases of vulnerability management:
- Discovering assets
- Assessing vulnerabilities and misconfigurations and prioritizing risks
- Mitigating non-patchable risks
- Remediating vulnerabilities
- Reporting and monitoring
Once vulnerabilities are known, the need to prioritise them and know where they need to be deployed is paramount. If all we do is identify that we have thne but are slow to do something about it, then we leave ourselves open to potential exploitation.
Once we have resolved the vulnerability, it is essential to continously monitor for those vulnerablities, since all it takes is for a use to reinstall their system from their CD and they are back to where they started. A comprehensive monitoring and reporting system rounds out a true vulnerability system.
By looking at risk and management of vulnerabilities in this way, companies can begin to take control of their environments, and not be laid open to potential chaos that arises when someone takes advantage of them.