Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Microsoft said it couldn't patch Windows to fix a systemic problem

28 Aug 2010   #1
bigcitycat

Windows Seven, Ubuntu
 
 
Microsoft said it couldn't patch Windows to fix a systemic problem

Quote:
On Monday, Microsoft confirmed reports of unpatched -- or zero-day -- vulnerabilities in a large number of Windows programs, then published a tool it said would block known attacks. At the same time, the company said it would not patch Windows because doing so would cripple existing applications.
This worries the hell out of me. Is this as bad as it sounds?

For now I'm using Linux.

Windows DLL load hijacking exploits go wild | Reuters


My System SpecsSystem Spec
.
28 Aug 2010   #2
hackerman1

W7-Enterprise + WS-2008 (Converted to Workstation)
 
 

hi !

if you had looked at the forum before you posted you would have seen this thread: Critical bug in 40 different Windows apps

there is some info there...
My System SpecsSystem Spec
28 Aug 2010   #3
Petey7

Windows 7 Professional SP1 64-bit
 
 

I don't know why hackerman's link isn't working, but I'll try it myself.

Critical bug in 40 different Windows apps

EDIT: it works
My System SpecsSystem Spec
.

28 Aug 2010   #4
Corrine

Windows 7 & Windows Vista Ultimate
 
 

Hi, bigcitycat.

Strange. Although the URL is correct, the topic isn't coming up unless I go to my subscribed topics. Critical bug in 40 different Windows apps . As you can see from the URL, the topic title is Critical bug in 40 different Windows apps.

See DLL Hijacking (KB 2269637) – the unofficial list (Peter Van Eeckhoutte) which lists many, many other programs potentially impacted. The article will help you understand why Microsoft cannot fix it. There are too many other programs impacted. If Microsoft did, they would all be broken.

Each impacted program will need to create their own update, as uTorrent did.

Edit: same experience as Pete. Its working now.
My System SpecsSystem Spec
28 Aug 2010   #5
cluberti

Windows 10 Pro x64
 
 

The problem Microsoft has is that there are programs out there that won't work if they patch the hole because in the past this was a legitimate way to write an app (admittedly a long time ago), and people tend to get pissed when a patch breaks their application(s). Hence, they're planning on releasing a tool which would do the same thing (or have, not sure if it's available yet), as one of it's options, and leave it up to the user to handle. I'm guessing they will change it in the future (maybe Win8?), but I doubt it'll happen in an existing, shipping OS.
My System SpecsSystem Spec
28 Aug 2010   #6
hackerman1

W7-Enterprise + WS-2008 (Converted to Workstation)
 
 

hi !

itīs a forum-bug !

i discovered that a long time ago.
i was tired when i posted so i forgot how to do it...

if you link to another thread then do NOT use the "Insert Link"-button (the globe in the top menu) !

you CAN insert links to other threads: copy the URL, then just PASTE it into your post.

btw, itīs weird that you say above that "now the link works", because when i clicked on the link myself it didnīt work.

anyway, iīve fixed it now.
My System SpecsSystem Spec
29 Aug 2010   #7
NoN

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]
 
 

Quote   Quote: Originally Posted by cluberti View Post
The problem Microsoft has is that there are programs out there that won't work if they patch the hole because in the past this was a legitimate way to write an app (admittedly a long time ago), and people tend to get pissed when a patch breaks their application(s). Hence, they're planning on releasing a tool which would do the same thing (or have, not sure if it's available yet), as one of it's options, and leave it up to the user to handle. I'm guessing they will change it in the future (maybe Win8?), but I doubt it'll happen in an existing, shipping OS.
A quick patch had been provided by MS, read post #11 page 2.

Researcher: 40 Windows Apps Affected by Critical Flaw
My System SpecsSystem Spec
31 Aug 2010   #8
Corrine

Windows 7 & Windows Vista Ultimate
 
 
Update on Security Advisory 2269673

(Cross-posting due to multiple topics on this issue.)

As described in the Security, Research & Defense blog (linked below), the following would need to occur in order to be exploited:
Quote:
"this class of vulnerabilities could allow malicious code to run if an attacker can convince a victim to do the following:
  • Browse to a malicious, untrusted WebDAV server in the Internet Zone; and
  • Double-click a file that appears by its extension and icon to be safe"
Microsoft plans to address the Microsoft products affected by this issue, primarily be in the form of security updates or defense-in-depth updates. However, as to third-party products, it is up to those vendors to provide patches for their affected software, which may take some time or, as Jerry Bryant indicated, may not be possible. As a result, the Microsoft Fix it Team has developed a Fix it solution to enable the Microsoft-recommended setting which blocks most network-based vectors.

Microsoft Fix it 50522 Steps:
  1. Download and then install update 2264107, available from the bottom of the page at KB 2264107.
  2. From the same page, click the Fix it button or link under the Enable this fix it heading. Click Run in the File Download dialog box, and then follow the steps in the fix it wizard.

    The Fix it solution will deploy the registry entry that is needed to block nonsecure DLL loads from WebDAV and SMB locations.
Note: The tool is limited to protecting against DLL preloading only and does not protect against .exe files that do not properly load files via a fully qualified path. As stated previously, the software vendors will be required to update those applications accordingly.

My System SpecsSystem Spec
Reply

 Microsoft said it couldn't patch Windows to fix a systemic problem




Thread Tools




Similar help and support threads
Thread Forum
windows couldn't remove your computer from the homegroupwindows couldn
windows couldn't remove your computer from the homegroup, have done all fixes recommended, services still won't start, still can't leave home group
Network & Sharing
Microsoft trying to fix post-Patch Tuesday OpenType rendering problem
Read more at source: Microsoft trying to fix post-Patch Tuesday OpenType rendering problem | ZDNet
News
Microsoft to patch critical Windows, Office flaws
Microsoft to patch critical Windows, Office flaws Microsoft said that it expects to issue four security bulletins as part of next week's Patch Tuesday, closing critical holes in both Windows and Office. Microsoft to patch critical Windows, Office flaws - ZDNet
System Security
Microsoft to patch unhackable Windows 7 bug later today
More at: Microsoft to patch unhackable Windows 7 bug later today - Computerworld
News
Microsoft slates 25-patch Windows update for next week
More at: Microsoft slates 25-patch Windows update for next week - Computerworld
News
Microsoft issues first Windows 7 beta patch But it skips SMB patch not critical
Microsoft issues first Windows 7 beta patch But it skips offering SMB patch because it's not critical Microsoft Corp. today issued its first patch for the just-released Windows 7 beta, but passed on plugging a hole in an important...
News


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Đ Designer Media Ltd

All times are GMT -5. The time now is 03:19.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App