Selasa, 12 April 2005

Microsoft Security Bulletins Obscure Details

Today is "patch Tuesday" at Microsoft. Let's consider how easy or difficult it is to get real details on the new vulnerabilities. First we visit www.microsoft.com/security and see "Current security updates:"

Get information on the latest software security updates.

- Exchange Security Update
- Windows Security Updates
- MSN Messenger Update
- Office Security Update

This is nice. Where do I start? I click on the link Windows Security Updates and end up at a page titled "Windows Security Updates Summary for April 2005." This page lists five security bulletins, Security Bulletin MS05-016 through MS05-20. I can't really tell a whole lot looking at the information on this page, although the "Technical bulletin" item for each yields clues.

The first security bulletin, MS05-016 says Vulnerability in Windows Shell That Could Allow Remote Code Execution (893086). Remote code execution is always bad. Does this mean an attacker can exploit a listening Windows service? I can't tell. I do click on the technical bulletin link to learn more.

Now I'm on a Microsoft TechNet page. It says the "Impact of Vulnerability" is "Remote Code Execution." I still don't see anything which clues me in to how this vulnerability can be exploited. I decide to click on the link "Vulnerability Details." Under the title "Windows Shell Vulnerability - CAN-2005-0063:" we read the following:

"A remote code execution vulnerability exists in the Windows Shell because of the way that it handles application association. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of the affected system. However, user interaction is required to exploit this vulnerability."

Ok, I still don't know if this vulnerability affects a listening service. Under "Vulnerability details" there's also a "FAQ for Windows Shell Vulnerability - CAN-2005-0063:", which I click.

Finally I read the answer to my question:

"How could an attacker exploit the vulnerability?

An anonymous attacker could try to exploit the vulnerability by convincing a user to open a specially crafted file. Opening this file could then cause the affected system to run code. The vulnerability would generally be exploited through unregistered file name extension types."

At least I learn that this "Remote Code Execution" vulnerability involves an administrator opening a malicious file.

Does this process seem ridiculous to you too? Now I have to perform the same process for the other vulnerabilities. How long is that going to take?

I suggest Microsoft publish a single page with a table showing the salient details of each new vulnerability. Those of us with network security responsibilities would probably like to see a table column with the title "Involves listening service vulnerable to attack" or similar. That way, we could quickly narrow our focus to the services which will likely become the targets for the next worm, script kiddie, or worse.

0 komentar:

Posting Komentar