Tuesday, April 12, 2005

Microsoft Security Bulletins Obscure Details

Today is "patch Tuesday" at Microsoft. Let's consider how easy or difficult it is to get real details on the new vulnerabilities. First we visit www.microsoft.com/security and see "Current security updates:"

Get information on the latest software security updates.

- Exchange Security Update
- Windows Security Updates
- MSN Messenger Update
- Office Security Update

This is nice. Where do I start? I click on the link Windows Security Updates and end up at a page titled "Windows Security Updates Summary for April 2005." This page lists five security bulletins, Security Bulletin MS05-016 through MS05-20. I can't really tell a whole lot looking at the information on this page, although the "Technical bulletin" item for each yields clues.

The first security bulletin, MS05-016 says Vulnerability in Windows Shell That Could Allow Remote Code Execution (893086). Remote code execution is always bad. Does this mean an attacker can exploit a listening Windows service? I can't tell. I do click on the technical bulletin link to learn more.

Now I'm on a Microsoft TechNet page. It says the "Impact of Vulnerability" is "Remote Code Execution." I still don't see anything which clues me in to how this vulnerability can be exploited. I decide to click on the link "Vulnerability Details." Under the title "Windows Shell Vulnerability - CAN-2005-0063:" we read the following:

"A remote code execution vulnerability exists in the Windows Shell because of the way that it handles application association. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of the affected system. However, user interaction is required to exploit this vulnerability."

Ok, I still don't know if this vulnerability affects a listening service. Under "Vulnerability details" there's also a "FAQ for Windows Shell Vulnerability - CAN-2005-0063:", which I click.

Finally I read the answer to my question:

"How could an attacker exploit the vulnerability?

An anonymous attacker could try to exploit the vulnerability by convincing a user to open a specially crafted file. Opening this file could then cause the affected system to run code. The vulnerability would generally be exploited through unregistered file name extension types."

At least I learn that this "Remote Code Execution" vulnerability involves an administrator opening a malicious file.

Does this process seem ridiculous to you too? Now I have to perform the same process for the other vulnerabilities. How long is that going to take?

I suggest Microsoft publish a single page with a table showing the salient details of each new vulnerability. Those of us with network security responsibilities would probably like to see a table column with the title "Involves listening service vulnerable to attack" or similar. That way, we could quickly narrow our focus to the services which will likely become the targets for the next worm, script kiddie, or worse.

4 comments:

Anonymous said...

No, you're not the first person to find this a pain.
Even worse is when the Internet Explorer is not explicitly mentioned, just 'the Internet'.
eg. You could get a malicious file just by browsing to a malicious site
...never mind the fact that this only effects the Internet Explorer web browser, and not all browsers.

Keydet89 said...

Richard,

You need to keep the audience in mind when reading these things. I am sure that MS is targetting the generic Windows Administrator with these things, and they decided, "let's not give them too much information, as it will overwhelm them." I'm sure that they're simply trying to push, "...just install the patch, big fella..."

I had the same frustrations when I was in an FTE position over a year ago...the Windows admins would see a reference to "remote attacker", but it was simply too difficult to dig through all of the cruft to find out that the "remote attacker" had to (a) get a file on your system, and (b) get someone with admin privileges to execute the file.

The other sad thing is that this is still being done, because it works...

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

marc spitzer said...

Here is a List of all the MS RSS feeds, there is one for security:
http://msdn.microsoft.com/aboutmsdn/rss/

tweedledeetweedledum said...
This comment has been removed by a blog administrator.