Advertisement
Promo

Security threats Toolkit

Microsoft explains seven-year patch delay

Tom Espiner ZDNet.co.uk

Published: 13 Nov 2008 14:45 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Microsoft has offered an explanation as to why it took the company seven years to issue a patch for a known vulnerability.

The flaw, which lies in the Microsoft Server Message Block (SMB) protocol, was addressed on Tuesday in Microsoft security bulletin MS08-068. The flaw could enable an SMB Relay attack, which would allow an attacker to install programs; view, change or delete data; or create new accounts with full user rights.

Christopher Budd, a security programme manager in the Microsoft Security Response Center, said in a blog post on Thursday that, while Microsoft had been aware of the vulnerability, fixing it would have broken customer network applications.

"When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications," wrote Budd. "And, to be clear, the impact would have been to render many (or nearly all) customers' network-based applications then inoperable."

Budd explained that, while Microsoft in 2001 advised customers to use SMB signing, it knew then that the mitigation might not be a usuable solution for some.

Read this

Windows 7: screenshot gallery

Read more +

"We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but the reality was that there were similar constraints that made it unfeasible for customers to implement SMB signing," wrote Budd.

The vulnerability was first publicly documented by a security researcher known as 'Sir Dystic' during the @tlanta.con convention in 2001, according to the Metasploit blog. Metasploit also included an SMB Relay module in its attack tool earlier this year.

Metasploit said in the blog post on Tuesday that yesterday's SMB patch from Microsoft was only partially effective.

"The MS08-068 patch addresses this attack only in the case where the attacker connects back to the victim," wrote 'HD'. "The patch does NOT address the case where the attacker relays the connection to a third-party host that the victim has access to."

Microsoft was not able to give immediate comment at the time of writing.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
4 out of 4 people found this useful


In association with Network Liberation Movement

Talkback

Post a comment


Full Talkback thread

1 comment

  1. What do I need to consider in managing vulnerabili... lumension

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:







Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

DNA details of innocent will be kept f...

The government has announced that it plans to keep innocent people's DNA details for up to six years. In response to a consultation it launched last December, the government said... More

5 comments

Motorola Droid Drops Today: Happy Droi...

Motorola Droid Drops Today: Happy Droid Day America! Author: Eric Everson, Mobile Security Expert If you’re wondering what all of the buzz is about with words like Droid and Android... More

Post a comment

Mobile Security Profile: BlackBerry St...

Mobile Security Profile: BlackBerry Storm2 Author: Eric Everson BlackBerry handsets are a staple of office culture; from syncing calendars to sharing business-related data,... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters