Recently Microsoft released a blog post addressing MS09-008, after I raised an issue with it. I think it's clear where my colleagues and I stand on the issue, but here's a quick summary for those who haven't been following ...
The MS09-008 "patch" provides the functionality to apply a mitigation (Global Query Block List) and the application of the mitigation. One of my colleagues even coined the term "patchigation", since the issue is never actually patched. To patch the issue Microsoft would have had to block the ability to set wpad and isatap entries dynamically and they chose not to do this. Instead they have mitigated the risk of a malicious entry by providing a method of blocking the valid response from being sent.
So where does that leave us?
- Before Patchigation
- Attacker sends Dynamic Update to set the wpad entry to a malicious target
- DNS Stores wpad entry
- Victim queries DNS and is provided the malicious wpad entry
- After Patchigation
- Attacker sends Dynamic Update to set the wpad entry to a malicious target
- DNS Stores wpad entry
- Victim queries DNS and is told the address doesn't exist
- After a proper Patch (which isn't available)
- Attacker sends Dynamic Update to set the wpad entry to a malicious target
- DNS Rejects wpad entry
- After Patchigation - no wpad
- Attacker sends Dynamic Update to set the wpad entry to a malicious target
- DNS Stores wpad entry
- Victim queries DNS and is told the address doesn't exist
- After Patchigation - wpad (valid or malicious)
- Attacker sends Dynamic Update to set the wpad entry to a malicious target
- DNS Stores wpad entry
- Victim queries DNS and is provided the malicious wpad entry
But I thought I was patched? Why didn't Microsoft inform me about this?
To be fair, Microsoft did provide information about this (strictly speaking) - the advisory contains a Known Issues link that points to a knowledge base and that knowledge base contains a single line, halfway down the page to inform you that wpad and isatap entries won't be created if they existed prior to the host being patchigated. It's not directly referenced in the advisory, and the Known Issues" link wasn't added until after I contacted Microsoft and wrote my initial blog post, but I digress ...
Microsoft has since commented that it is not the goal of an update to undo an attack that has already taken place and that customers are encouraged to apply the update. I do not believe they should aim to undo previous attacks and I firmly believe that customers should apply the update. The update addresses more than the WPAD issue and we have encouraged our customers to apply the update from the time it was released.
I do, however, believe that this practice of patchigation is a dangerous practice. By burying a packaged mitigation within the monthly patches, Microsoft leaves customers who have already been compromised with a false sense of security that there is no problem. As I've said many times in the past, I'm a big fan of Microsoft's Security Program in general. As a Security Researcher however, my appreciation has to take a back seat to exposing risks as I find them. This one is risky, I found it, and I exposed it.
Microsoft has also stated that no previous patch has ever undone an attack. This is not the first time I've heard the argument that patches are not aimed at undoing an attack, and I feel the need to be clear - I do not expect a Microsoft patch to undo an attack, I expect a Microsoft patch to effectively prevent future attacks. This patchigation does not do that.
If a wpad entry exists, the mitigation is not applied. Since the patch and mitigation are one and the same, that means that the issue is not actually remediated. It's not a matter of undoing the single attack that's taken place already, it's an issue of not preventing future attacks. This same issue holds true for organizations with valid wpad entries, the mitigation isn't applied (as Microsoft has indicated, there's no way of knowing if an entry is valid or not) and therefore future attacks can occur. So this isn't about undoing a single attack, this is about preventing future attacks. I suspect customers' expectations are the same as mine: once I'm patched, I'm immune to future attacks.
So I put the question to you: Is patchigation good enough? Whether you think it is or think it isn't, how much do you want to know?
Comments (3)
Generally speaking how would a patch know if any settings were original genuine or changed malicious or even already repaired settings???
Posted by Rob | March 17, 2009 2:39 AM
Posted on March 17, 2009 02:39
Just out of interest, how would you rather the patch worked? For those of us who already use WPAD (which is a lot of corporations and educational establishments as far as I am aware), we don't want the installation of a patch to break our existing setup. As there's no way to tell the difference between a 'valid' WPAD entry and an 'invalid' entry, what else could Microsoft do?
It is true that M$ could have made the fact that the patch wouldn't fix an existing 'exploited' install clearer in the security bulletin. They could also have made it so that it is impossible to register a new host with the name 'wpad' via DNS or WINS, but this would still run the risk that some organisations were relying on a dynamic update in order to make WPAD work (in other words, running a machine that actually self-registers the name 'wpad' rather than a static DNS entry).
They could have done it another way, but I'm not sure they could have done so without risking disruption one way or another - and for M$, minimising disruption is one of their number one goals for a security patch - otherwise people will be afraid to install them
Posted by Chris | March 18, 2009 2:46 PM
Posted on March 18, 2009 14:46
@Chris & @Rob, I apologize for the delay in approving your comments, I was traveling for CanSecWest.
@Chris:
Microsoft could have done a number of things, which I've outlined in many comments on the blog and to the press. To reiterate the top three, they would be:
1) Provide clearer notification of the action of the patch. This could have been via the advisory (they didn't even reference this issue until after they were contacted about it) or in the patch itself (via a message during individual patch install, automatic updates and/or WSUS.
2) Provide a flag that would allow you to block the wpad entry even if it existed (it's not uncommon for patches to support various flags (such as unattended install)).
3) Provide a wpad update block list, similar to the query block list but to address the issue you mention (Machines that update wpad dynamically -- although to me this screams security risk).
An alternate way would have been to advise against using wpad via DNS and propose wpad via DHCP only. This is one alternate I feel there were many others as well.
I fully agree that Microsoft needs to minimize disruption... however they also need to provide security. Providing only a sense of security in order to minimize disruption is not a fair trade off.
@Rob:
The patch can't know if the settings are valid or malicious, as I've stated several times, there are however, other approaches.
Posted by Tyler Reguly | March 24, 2009 11:08 PM
Posted on March 24, 2009 23:08