Microsoft patch process called into question

Microsoft’s Windows Update patch management program has a critical shortcoming that in some cases could fool users into thinking their systems are properly patched against some vulnerabilities when in fact they aren’t.

Microsoft Corp.’s Windows Update patch management program has a critical shortcoming that in some cases could fool users into thinking their systems are properly patched against some vulnerabilities when in fact they aren’t.

That warning comes from Russ Cooper, moderator of the popular NTBugtraq mailing list and an analyst at Reston, Va.-based TruSecure Corp.

But Stephen Toulouse, a security program manager at Microsoft, strongly disagreed with Cooper’s claim about Windows Update, calling it unfounded.

According to Cooper, the problem lies in the manner in which the Windows Update program verifies whether a system has a particular patch. Until last night at least, Windows Update relied only on the “registry key” information associated with each patch to determine whether a system had a specific patch. When a user goes to the Windows Update site, it first scans the user’s system for such registry keys to determine which patches are installed on the system.

The problem is that a system may have the registry keys associated with a particular patch even though the patch itself hasn’t been installed on the system. This can happen, for instance, if a machine crashes or is turned off during the patch installation process or because there are insufficient system resources to install it, according to Cooper.

In that case, Windows Update is fooled into thinking the system is patched because it sees the associated registry key information. Other patch management products look for patch-specific file information in addition to the registry key information, Cooper said.

Toulouse dismissed Cooper’s claims and insisted that Windows Update has “for several months” been checking for file versions in addition to registry keys when scanning for patches.

Pointing to the patch for the latest Windows Remote Procedure Call vulnerability (MS03-026), which is used to fight the Blaster or Lovsan worm, Toulouse said, “There’s been tens of millions of successful implementations of this patch, and we haven’t heard of a situation where customers think they have installed the patch and then find out they haven’t.”

Toulouse also questioned the method Cooper used to demonstrate the problem, calling it a highly unlikely and “artificial scenario.”

“It is entirely possible to try and make something fail. The question is, How realistic is the scenario?” Toulouse said.

By late Wednesday, Microsoft did, in fact, appear to be checking file information in addition to registry key information — at least as far as the latest patch is concerned, Cooper said.

But the same isn’t true for all patches, he said. While it is possible that Windows Update is looking for patch-related file information, it doesn’t appear to use this information to verify the patch.

Cooper isn’t alone in his concerns.

“I’m glad to see that Microsoft has added file version detection to MS03-026 — albeit late (Wednesday) afternoon. However, there are many other serious security vulnerabilities that are addressed by other Microsoft patches that can be spoofed by simply writing a registry value,” said a former member of the Microsoft security response team who is now working at a software patch management vendor, who requested anonymity.

According to the source, as of yesterday the patches that could be spoofed by using registry keys included the following: MS03-030, for a critical vulnerability related to a buffer overflow in DirectX; MS03-023, a patch for a critical buffer overflow HTML vulnerability; and MS03-001, another critical vulnerability related to a Microsoft Locator service.

“The only way to properly check for the status of security hot fixes is to scan for each file that ships in each hot fix and verify that these files are still present on the system. Registry keys cannot be relied upon as an indicator of patch status, as these keys may not accurately represent the present state of the machine,” the source said.

Apart from lulling users into a false sense of security, there is a bigger problem, the source said.

“If Windows Update is relying solely on the presence of registry keys to determine if a patch has been installed, this process may be subject to exploitation from the next Internet worm. Imagine a Blaster- or Nimda-style worm that writes specific registry keys to each infected machine.”

By spoofing registry keys, such worms could fool Windows Update into thinking that a user’s system has been properly patched, he said.

On Wednesday, Vivek Kundra, director of infrastructure technologies for Arlington County, Va., said his group had problems using the Windows Update server technology to deploy the patches to fight the Blaster worm. The county began working to install recommended patches for the Windows RPC vulnerability last Thursday, before the recent outbreak began to spread.

Although the county began the process using Microsoft’s Windows Update process, it had to abandon the approach because the patches didn’t always deploy properly. It is now using a Novell Inc. resource management tool called ZENworks to distribute the patches, according to Kundra. The county is now eyeing the possibility of outsourcing its patch management process to a third party.