Microsoft said it couldn't patch Windows to fix a systemic problem

[bigcitycat]

On Monday, Microsoft confirmed reports of unpatched -- or zero-day -- vulnerabilities in a large number of Windows programs, then published a tool it said would block known attacks. At the same time, the company said it would not patch Windows because doing so would cripple existing applications.

This worries the hell out of me. Is this as bad as it sounds?

For now I'm using Linux.

Windows DLL load hijacking exploits go wild | Reuters

 

[hackerman1]

hi !

if you had looked at the forum before you posted you would have seen this thread: http://www.sevenforums.com/system-security/105488-critical-bug-40-different-windows-apps.html

there is some info there...

 

[Petey7]

I don't know why hackerman's link isn't working, but I'll try it myself.

http://www.sevenforums.com/system-security/105488-critical-bug-40-different-windows-apps.html

EDIT: it works

 

[Corrine]

Hi, bigcitycat.

Strange. Although the URL is correct, the topic isn't coming up unless I go to my subscribed topics. http://www.sevenforums.com/system-security/105488-critical-bug-40-different-windows-apps.html . As you can see from the URL, the topic title is Critical bug in 40 different Windows apps.

See DLL Hijacking (KB 2269637) – the unofficial list (Peter Van Eeckhoutte) which lists many, many other programs potentially impacted. The article will help you understand why Microsoft cannot fix it. There are too many other programs impacted. If Microsoft did, they would all be broken.

Each impacted program will need to create their own update, as uTorrent did.

Edit: same experience as Pete. Its working now.

 

[cluberti]

The problem Microsoft has is that there are programs out there that won't work if they patch the hole because in the past this was a legitimate way to write an app (admittedly a long time ago), and people tend to get pissed when a patch breaks their application(s). Hence, they're planning on releasing a tool which would do the same thing (or have, not sure if it's available yet), as one of it's options, and leave it up to the user to handle. I'm guessing they will change it in the future (maybe Win8?), but I doubt it'll happen in an existing, shipping OS.

 

[hackerman1]

hi !

it´s a forum-bug !

i discovered that a long time ago.
i was tired when i posted so i forgot how to do it...

if you link to another thread then do NOT use the "Insert Link"-button (the globe in the top menu) !

you CAN insert links to other threads: copy the URL, then just PASTE it into your post.

btw, it´s weird that you say above that "now the link works", because when i clicked on the link myself it didn´t work.

anyway, i´ve fixed it now.

 

[NoN]

The problem Microsoft has is that there are programs out there that won't work if they patch the hole because in the past this was a legitimate way to write an app (admittedly a long time ago), and people tend to get pissed when a patch breaks their application(s). Hence, they're planning on releasing a tool which would do the same thing (or have, not sure if it's available yet), as one of it's options, and leave it up to the user to handle. I'm guessing they will change it in the future (maybe Win8?), but I doubt it'll happen in an existing, shipping OS.

A quick patch had been provided by MS, read post #11 page 2.

http://www.sevenforums.com/news/105...apps-affected-critical-flaw-2.html#post928472

 

[Corrine]

Update on Security Advisory 2269673

(Cross-posting due to multiple topics on this issue.)

As described in the Security, Research & Defense blog (linked below), the following would need to occur in order to be exploited:

"this class of vulnerabilities could allow malicious code to run if an attacker can convince a victim to do the following:

• Browse to a malicious, untrusted WebDAV server in the Internet Zone; and
• Double-click a file that appears by its extension and icon to be safe"

Microsoft plans to address the Microsoft products affected by this issue, primarily be in the form of security updates or defense-in-depth updates. However, as to third-party products, it is up to those vendors to provide patches for their affected software, which may take some time or, as Jerry Bryant indicated, may not be possible. As a result, the Microsoft Fix it Team has developed a Fix it solution to enable the Microsoft-recommended setting which blocks most network-based vectors.

Microsoft Fix it 50522 Steps:

1. Download and then install update 2264107, available from the bottom of the page at KB 2264107.
2. From the same page, click the Fix it button or link under the Enable this fix it heading. Click Run in the File Download dialog box, and then follow the steps in the fix it wizard.
   
   The Fix it solution will deploy the registry entry that is needed to block nonsecure DLL loads from WebDAV and SMB locations.

Note: The tool is limited to protecting against DLL preloading only and does not protect against .exe files that do not properly load files via a fully qualified path. As stated previously, the software vendors will be required to update those applications accordingly.

• MSRC Blog: Update on Security Advisory 2269673
• SR&D Blog: An update on the DLL-preloading remote attack vector
• TechNet: Knowledge Base Article 2264107