Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

You deployed MS09-008 – are you now protected?

You deployed MS09-008 – are you now protected?

  • Comments 3
  • Likes

You might have seen several reports that MS09-008 does not protect you from the vulnerabilities. We reviewed these claims and customers who have deployed MS09-008 are protected from the four vulnerabilities.

If you want to have the details, you should consult our Security Research & Defense Blog, where we posted MS09-008: DNS and WINS Server Security Update in More Detail as the problem is somewhat more complex than just “yes/no”

Roger

Comments
  • Roger,

    This vulnerability could be used to launch "man-in-the-middle" attacks on Windows DNS servers. The web browsers of the PCs in the network are configured through these WPAD entries, so a user that is getting the proxy configuration automatically could be redirected to a malicious proxy and the attacker will have access to all the traffic of the user. To perform this attack, the attacker could insert a WPAD entry in the DNS server when dynamic updates are enabled.

    As a part of the solution to this vulnerability, Microsoft creates two new values in the registry under the key HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters,

    Once created these values in the registry, if anyone tries to launch a “man-in-the-middle” attack it won’t success, as the system will block petitions to the WPAD entry, unless this entry had not been created before applying the patch.

    However, in the case of MS09-008 patch it doesn’t work in the same way; even if we have applied the patch, if we were already attacked through this vulnerability, it doesn’t solve the problem and the “man-in-the-middle” attacks will continue. Why? Because in that case the data in the value GlobalQueryBlockList created when the patch is applied is “isatap” instead of “wpad isatap”, so the queries to WPAD are not being blocked.

    Incase a successful attack has already taken place before applying the patch, your traffic can be being redirected to a malicious proxy. Then, even if you apply the patch, the issue is not completely solved, and the malicious proxy will stay there “sniffing” all your traffic.

    Microsoft guys have blogged about this and how to resolve this, you can find more information here :

    http://blogs.technet.com/srd/archive/2009/03/13/ms09-008-dns-and-wins-server-security-update-in-more-detail.aspx

    Shoaib

  • Hi Shoaib,

    this is the fundamental disconnect in the discussion about whether the update protects you or not: A Security Update is here to protect you from an exploitation of a vulnerability but will never clean your machine if you have already been successfully attacked before you installed the update.

    Roger

  • Hi Roger,

    I agree with your comments. We need to make sure other organizations understand that as well.

    Thanks

    Shoaib

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment