Wednesday, April 11, 2007

Microsoft Patch Releases

Generally, an intelligent entity is able to learn from not only its own mistakes but also from those it sees others make. An entity that keeps repeating the same mistakes over and over is deemed to be moderately unintelligent.

Well in that case, Microsoft must be the dumbest company on the face of this planet (and probably quite a few others). Not only have they once again released a Service Pack for a Windows NT-based operating system that breaks networking on many machines (Windows Server 2003 SP2 this time, Windows NT 4 Service Pack 2 last time), but they have released a second patch for their Animated Cursor component in Windows (obviously, critical in any Server is an animated cursor) and this time they have followed in their long established path of releasing a broken patch that almost immediately needs a patch for the patch.

MS07-017 resulted in a great many machines worldwide failing to run properly and having error messages stating something similar to:

application_executable_name - Illegal System DLL Relocation
The system DLL user32.dll was relocated in memory. The application will not run properly. The relocation occurred because the DLL C:\Windows\System32\Hhctrl.ocx occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL.

This is because Microsoft broke their patch and then tried blaming Realtek for the issue. As proof that it was a Microsoft issue, more applications have the same issue with this new MS07-017 patch. As further proof of the origin of the issue, Microsoft have released a new Windows XP Update to address the issues they created by not testing MS07-017 properly before releasing it.

I have a few issues with this patch (in particular) and Microsoft patching practice in general.

1. Why does a Windows Server have an animated cursor component? Is this a critical OS component? No. Is this something that should ever, for any reason be installed on any server? No. Then why does Microsoft ship it as a part of their Windows Server family? Secure By Design - I think not!

2. If this were a highly critical patch (as it is) that was only recently discovered and reported to Microsoft and it was in a critical component of the OS (see my previous point), then one *may* be able to give a little leniency to Microsoft. In this case, that is not what happened. On 22 October 2004 (yes, that's 2.5 years ago) this vulnerability was reported to Microsoft. They willingly did nothing about it. That is called "responsible disclosure" on the part of Cesar Cerrudo, the person who found the vulnerability.

Then on 7 November 2006 - over 2 years after Cesar originally reported this vulnerability to Microsoft - Cesar got sick of waiting for Microsoft to perform their corporate responsibilities and made the details of the vulnerability public. That is STILL called "responsible disclosure" on the part of Cesar - over 2 years for Microsoft to address a highly critical vulnerability in a default Windows component is simply "corporate apathy".

So, what did Microsoft then do? If you guessed "they jumped into action" then you'd be sadly mistaken. If you guessed "they did their absolute best impersonation of a statue" then you win the prize. That's right - Microsoft continued to not make history and remain apathetic towards this vulnerability. That's security the Microsoft way.

On 29 January 2007 (that's 27 months - well over 2 years since the vulnerability was originally reported to Microsoft) an exploit for this vulnerability was released by Joel Eriksson. It then took Microsoft over 9 weeks to release the MS07-017 patch to this 2 and a half year old vulnerability.

Which part of "Secure by design, secure by default" does this lax behavior fit into? Does it even fit into "Secure by deployment"? No, there is no security consideration in any of this. Microsoft totally (again) dropped the ball.

3. When Microsoft belatedly released a patch for this vulnerability, they broke it and then blamed a number of 3rd parties for the issues they created. That's appalling. Again, the corporate apathy present in Microsoft - thanks to Steve Ballmer who is at its helm right now - is what's letting them down. They need to realize that security is important to us, even if it isn't really that important to them. And as we are their customers (they sure don't treat us like clients), then we DO matter to them, as without us, they have no income.

So, all up, I have to express my disgust, once again, in Microsoft's mishandling of another patch release. Don't get me started on Windows Server 2003 SP2...


The Outspoken Wookie


Anonymous said...

Thank you Hilton. This should be the site of the day.

Anonymous said...

Yea...right. Microsoft is being blamed once again for ANOTHER third party company that can't follow coding guidelines. sound SOOO intelligent! So, I assume you don't DRIVE the car you don't like...then why do you run the OS that you insist on railing against at every opportunity? Just do us all a favor and the dark side.

HiltonT said...

Yes, it is great hiding behind the "anonymous" label and speaking your mind, isn't it?

If you have something to say like that, at least 'fess up as to who you are. It means that people will listen to your POV instead of ignoring it as a rant from someone who is unwilling to put a face to their post.

And as for me railing against an OS at every opportunity, no, far from it. I rail against the things in it that need to be addressed, not just for the sake of it. There's a huge difference.

At least I put a name and URL to my posts and am willing to stand up for what I believe in. I say what I believe, and there are a LOT of others being as badly affected (if not worse) than we are with Microsoft's poor patch coding capabilities.