Windows Update Can Hurt Security

An anonymous reader writes "Researchers at Carnegie Mellon University have shown that given a buggy program with an unknown vulnerability, and a patch, it is possible automatically to create an exploit for unpatched systems. They demonstrate this by showing automatic patch-based exploit generation for several Windows vulnerabilities and patches can be achieved within a few minutes of when a patch is first released. From the article: 'One important security implication is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update... can detract from overall security, and should be redesigned.' The full paper is available as PDF, and will appear at the IEEE Security and Privacy Symposium in May."

Quiz

[Lord+Grey]

Fill in the blank:

Windows _____________ Can Hurt Security

1. 1) "Applications"
2. 2) "Network Connectivity"
3. 3) "Update"
4. 4) "Users"
5. 5) ""

Re:Quiz

[xjlm]

6) "All of the above" I don't usually pay any attention whatsoever to these Windows Security updates except for comedic value. I use Debian behind two firewalls so it really doesn't affect me.

Re:Quiz

[4D6963]

Fill in the blank:

Windows _____________ Can Hurt Security

1. 1) "Applications"
2. 2) "Network Connectivity"
3. 3) "Update"
4. 4) "Users"
5. 5) ""

1. 6) "Profit"?

Re:Quiz

[MacDork]

6) "Profit"?

(7) Cowboy Neal.

Re:Quiz

Fill in the blank:

Windows _____________ Can Hurt Security
1) "Applications"
2) "Network Connectivity"
3) "Update"
4) "Users"
5) ""

"Alternatives"

Show me a non-Windows OS, and I'll show you a huge security hole in your network security.

Three are risks in everything we do... or don't do. No big surprise. But honestly... trying to say that updating your OS is bad security? That's a huge stretch, even for Slashdot.

Re:Quiz

[German_Dupree]

No, you don't even need a blank.

Re:Quiz

(7) Cowboy Neal. (8) Not enough options.

Re:Quiz

[dogmatixpsych]

Show me a non-Windows OS, and I'll show you a huge security hole in your network security. Three are risks in everything we do... or don't do. No big surprise. But honestly... trying to say that updating your OS is bad security? That's a huge stretch, even for Slashdot.

But that begs the question that all updates are completely secure. Just because something is an update doesn't mean it is better.

Re:Quiz

I think that's what the null string was for.

Re:Quiz

[onefriedrice]

It does effect you if you use the same internet as the rest of us. Compromised Windows machines slow down the internet.

Re:Quiz

[somersault]

It wasn't null, it was just empty >_>

I think FTA is wrong: "a fundamental tenant of security is to conservatively estimate the capabilities of attackers". That means that you should always underestimate the capabilities of attackers. WTF? :P Someone needs to look up the definition of 'conservative'!

Re:Quiz

[somersault]

# oops
$comment =~ s/FTA/TFA/ ;

Re:Quiz

[xjlm]

That may well be, but the only time i notice any real congestion is around the time all the local kids get out of school and turn their computers on. I get download rates as high as 900k and upload at over 100k (unless I'm running KTorrent).

Re:Quiz

No. You are all wrong. It is not a question at all. It just says:

"Windows Can Hurt Security."

Re:Quiz

[theeddie55]

There is no blank Windows Can Hurt Security

Re:Quiz

I do really dislike perl

Re:Quiz

[Cairnarvon]

You don't have any e-mail addresses? Where do you think most spam comes from?
Windows' crap security affects everyone.

Re:Quiz

Not me it doesn't. I'm rich and I drive a BMW. When I use the web my traffic just barges past all other traffic with no concern. See, in the internet there are two types of pipes:
1. The riff-raff pipe that you belong to. With this pipe you obey the rules, and if there is something holding it up you either wait or give up and try again later. This is what you pay for and what you will get.
2. The millionaires pipe. Think of it as our own lane on every road. Not for you riff-raff. Stay off or my butler will shoot you. So what if it is subsidised by you. Clear off.

Re:Quiz

You're missing the obvious answer: *

Re:Quiz

[imess]

6. XP
So we should all move to Vista.

Now where is my t-shirt?

Re:Quiz

[Gewalt]

I think FTA is wrong Here, Here! I am also a firm believer that F'ng T A is just plain wrong. No one should do that.

Re:Quiz

[SlowMovingTarget]

#6 only occurs if you have the Windows Underpants Collector for Workgroups 1.5 application installed. Unfortunately, this was written for Windows 3.11. Attempts to run it on fatter (err... newer) versions of Windows result in an Uncovered A(sterisk) Error (UAE).

Ubuntu gives you the Gnome for free, however. (One of those "give a man a pair, teach a man to collect" things.)

Re:Quiz

No, it doesn't effect me one whit. It may AFFECT me, but if it affected me, you'd have said that, right?

Re:Quiz

[Sneftel]

I think you mean "__________ ___________ Can Hurt Security". There's nothing Windows-specific about this approach. It would work just as well with apt-get.

Re:Quiz

In engineering, at least, conservative usually means "assume the worst." In this case that would mean "assume the attackers are very capable" rather than underestimating them.

Re:Quiz

[zdude255]

9) All of the above.

Re:Quiz

[mysidia]

(5) Installer

Re:Quiz

[somersault]

I like it!

$balance = restore($balance);

Microsoft's Response

Microsoft has cautioned its enterprise customers by responding with a white paper that finds security and profits to be independent variables. The widely criticized paper uses Microsoft's own software history as a model business thriving in this manner.

Seriously, a reason that the consumer needs Microsoft more to bail them out? I couldn't think of better news for Microsoft's future ...

Doesn't matter

[Z00L00K]

You can never distribute patches synchronously to all the PC:s in the world. And you can't hide what the patch fixes.

You are damned either way. The only way to avoid complete damnation from security vulnerabilities is to run a large number of different operating systems, but then you are damned to live a life in complete confusion about system maintenance instead.

The onion principle is a general security term that has been defined a long time ago, but the fact that we are all online in some way or another all the time means that the onion is rotten.

Re:Doesn't matter

[Loether]

I admit I didn't rtfa. however if you use bittorrent or a similar system everyone downloading at the same moment would work better and faster. Everyone would have the patches very close to the same time. At the very least that would decrease the amount of time a potential attacker has to attempt this.

Re:Doesn't matter

You can never distribute patches synchronously to all the PC:s in the world. True enough.

And you can't hide what the patch fixes. Wrong. You can encrypt the patch.

Steam has no problem distributing games to players so that they can all unlock them on release day. All you have to do is preload the patch with staggered downloads but not send out the key until the same time. Then all machines can decrypt and patch and install them at roughly the same time, helping to greatly cut down on the time between when the patch can be figured out and the time that machines are still vulnerable.

Not fool-proof, of course, but it seems like something Microsoft should seriously consider doing.

Re:Doesn't matter

[Sancho]

At one time, patches were delivered to corporate customers in a different time frame than standard windows update users, weren't they? Also, beta patches would suffer from flaws, as those are also staggered.

Nonetheless, outside of these two cases, it seems like Microsoft is being targeting because, well, they're Microsoft. They have a huge market share and a really good update management system, so they're a big target for something like this. That coupled with their history of vulnerabilities, and it's easy to understand why they were picked over, say, Apple.

Re:Doesn't matter

[Nos.]

Its not that simple. My parent's turn their computer on maybe twice a week. Other's don't have constant net connections.

Re:Doesn't matter

[piojo]

And you can't hide what the patch fixes. Actually, I disagree. What if Microsoft obfuscated or encrypted executables the same way that (I've heard) Apple does? Then, any vulnerable executable could be fixed and re-encrypted, and the diff between the two versions would just look like garbage. To get the real data, one would need to break the (obfuscation-based) encryption, but that would take a few weeks (plenty of time for everyone that cares to patch themselves). This depends on Microsoft changing the encryption scheme frequently, like Apple does with iTunes.

Re:Doesn't matter

[Sancho]

But as pointed out, this is not a flaw specific to Microsoft. The only way that it's reasonable to target a specific vendor in this case is if they don't dump the patches on everyone simultaneously. Users applying patches in a timely fashion isn't the issue.

Well, either that, or you're advocating not issuing patches at all. That sounds like a pretty bad idea.

Re:Doesn't matter

[Ed+Avis]

You can certainly distribute the patch synchronously to 99% of the PCs (the other 1% being those not connected to the Internet or with broken auto-update). Distribute an encrypted patch, and then once all clients have downloaded it reveal the key, which is short and can be sent in a single network packet. Clients could even distribute the key among themselves peer-to-peer. The bigger problem is the timelag between the patch being revealed to the world and the machine starting to run the upgraded version of the software (which often requires a reboot). It might be necessary for patches to contain instructions saying to stop the vulnerable service immediately and not bring it back up until the new code is installed.

However, would such a scheme be compatible with free software? Under the GPL, would a Linux distributor be permitted to send out encrypted binary patches and only reveal the decryption key later?

Re:Doesn't matter

[Jarjarthejedi]

Which does nothing to help out those who either can't (insert system admin worries here) or don't patch their machines.

The current system works fine for those people who autopatch. It takes only a very short time to get the latest patch, shorter than it takes to get the bug, find a good page to work it onto, build up enough trust to get people there, and then deploy it. All this really affects is those users who don't patch their machines.

Re:Doesn't matter

[cbart387]

The bigger problem is the timelag between the patch being revealed to the world and the machine starting to run the upgraded version of the software (which often requires a reboot). That brings up a good point that I wonder if anyone has an answer to. Why is it that all windows updates require a reboot but very few linux updates do?

Re:Doesn't matter

[OzPeter]

How about image fresh system, apply patches, compare result with fresh system? No need to break encryption at all.

The only way you can stop this is if all system data was encrypted and the user was not trusted with the keys to decrypt.

Now where have I heard that before??? Hmmm .. TPM anyone?

Re:Doesn't matter

[JustinOpinion]

You can never distribute patches synchronously to all the PC:s in the world. Maybe you could.

Consider that a patch is first distributed as an encrypted file. The decryption key is kept secret until everyone has a chance to download the patch. At a pre-determined time, the decryption key is transmitted to everyone (the key is quite small so everyone getting it at nearly the same time shouldn't overwhelm the distribution server; a simplistic multicast or tree-like distribution system (like NTP) could further alleviate this problem). So then every computer patches itself at more-or-less the same time.

To prevent any attacks during the short window while systems are patching themselves, the protocol could be: download key; shutdown network; decrypt patch; apply patch; restart network.

This system, of course, introduces its own problems. For one thing, many organizations are not going to trust new patches without testing them first. The additional complexity may not be worth the effort, especially considering that the real problem here is that people in general don't keep their systems up-to-date.

Re:Doesn't matter

[PoderOmega]

But if Microsoft did that, how would we find all their undocumented API calls?

If the executable and libraries all run in memory encrypted or unencrypted wouldn't you be able to tell what the patch changed by comparing an unpatched versus patched process in memory? It would obviously be more difficult because the executable would actually have to be used in a method that the patch affected.

Re:Doesn't matter

[ShieldW0lf]

That's a really smart idea. Someone mod this guy up.

Re:Doesn't matter

[Nos.]

I never suggested it was vendor specific. There is not a good way (that I see) of getting around this, except as Z00L00K originally mentioned, the onion principal. Security comes in layers, if you're using layers of security, an exploitable hole in a specific application may not actually make you vulnerable, or be high risk. That's why my desktop machines are firewalled and NAT'd. That's why I run more than one virus scanner. That's why I follow simple guidelines with email and web surfing.

Re:Doesn't matter

[Sancho]

You can't overwrite a file that's in use by Windows. You can overwrite a file that's in use by Linux. The old image is still there. Any new processes loading the file will get the new version, and any old processes which still have a file handle to the old file get to use the old image.
I don't know if that's the whole reason, but I bet that it's part of it.

Re:Doesn't matter

[What+Would+NPH+Do]

Because in Linux you only need to reboot if you're messing around in the kernel. Everything else can be patched and then restarted. Why Windows needs to reboot for something that isn't kernel related is rather odd to me.

Re:Doesn't matter

[silvaran]

How about distributing them encrypted over the course of days or weeks, and then releasing a decryption key (pretty minuscule by comparison) once distribution volumes are sufficiently high?

Re:Doesn't matter

[What+Would+NPH+Do]

Well then don't you think it would just be better that the update would just restart the relevant processes rather than making you completely reboot? That would make more sense to me...

Re:Doesn't matter

[silvaran]

My bad: http://it.slashdot.org/comments.pl?sid=527278&cid=23119308

Re:Doesn't matter

[cbart387]

That's what I would think, and perhaps I should have clarified. I understand why/how linux is able to update processes without shutting down the whole system. I'm just perplexed as to why Windows doesn't/can't do the same. Perhaps it's just a simple matter of poor engineering (or lack thereof).

Re:Doesn't matter

Why is it that all windows updates require a reboot but very few linux updates do?

In windows you cannot replace used (locked) files. What the update does is create fixed copy of the used file, which replaces the locked copy on reboot. In Linux, you can delete a file without affecting programs using it, as long as those programs have an open file descriptor to it. The fixed file is put in place and any new program will benefit from the fix. The programs that ran before the fix will have to be restarted.
I am not sure how updating kernel works, though.

Re:Doesn't matter

At 0 for 3, I think it's time you took the refresher course in correct apostrophe usage.

Re:Doesn't matter

[Nos.]

If you're going to try an be a grammar nazis, you'd think you would at least get it right. I got 1/3 correct. There was nothing wrong with my usage of "don't"

Re:Doesn't matter

[Opportunist]

Not really. You can distribute fixes asynchronously while still retaining security. But it would require the user to first of all determine when, how and what is to be fixed, and of course the ability to check the fix.

Easy with OSS, I have no idea how MS is supposed to do it, though.

Re:Doesn't matter

[legirons]

Or distribute encrypted patches over the course of a day, then when you publish the key everyone can update

Re:Doesn't matter

[Opportunist]

Huh? Distributing a fix through a network of computers not under your control to increase security?

Sounds insane at the first glance, could make more sense with a bit of tweaking. There is a very large number of machines wanting the fix. Now, one may safely assume that the majority of machines get a "good" fix, and only a few machines try to seed a backdoor. If you find a way to connect to your peers and ask them for some footprint of their patch (MD5, CRC, whatever), you can validate whether the fix you get is good or bad.

Yes, that could work. I have no idea what legal thinks about such a system of "peer pressure", though. You'd hand over a lot of power to your users.

Re:Doesn't matter

[MrKahuna]

Distribute an encrypted patch, and then once all clients have downloaded it reveal the key, which is short and can be sent in a single network packet.

How would you ever know when "all" the clients have downloaded it? How would you know when the LAST person downloaded it? Do we all have to wait for that one person on a 300 baud solar powered modem living under a rock in a cave? There's no way to totally eliminate this problem via the patch delivery mechanism. Things like Steam work because there's a defined public release date and many people willing to download it in advance. However there are also many people who download after the release date.

Re:Doesn't matter

[Ed+Avis]

One way is to make systems start up in a restricted mode where all they can do is connect to the update server and check they have all the latest security patches. That way, systems that were switched off when the update was announced will catch up on the next boot.

Patches could be in two parts: the first part just says what service is affected (and should thus be shut down until patched), and the second part contain the actual code. Even hosts on slow network connections would be able to get the first part of the patch, and once the key is revealed to the world, shut down the vulnerable service. It wouldn't restart until the new code was downloaded and installed.

You are right that you could never get 100% coverage. But it would certainly help reduce the window of vulnerability from several days to a few seconds. That still might not be enough.

Re:Doesn't matter

[blacklint]

Theoretically that would work, but my oh my that would be complicated.

One real world example of essentially the same thing: FIRST Robotics wants to make sure that everyone has access to the game manual at the same time at the start of the build season without creating a massive load on their servers, and to make it available for those who don't have internet access where they watch the kickoff. They begin distributing an encrypted version of the manual a week in advance, then release the decryption key during the kickoff video.

It works fairly well, but this is a very special case where not releasing early is the primary concern. A cool idea, but I don't see it working (or helping) for updates, especially for small updates that may not be much larger than the key to begin with. It may be more effective for large updates (iPhone firmware updates, for example) where the download size can be prohibitive.

Re:Doesn't matter

[Ed+Avis]

But after running your slick auto-update command in Linux and watching it smoothly install new versions without rebooting the machine, are you 100% sure you're not still running some vulnerable code? What if bash had a vulnerability, and you installed the new version but old bash processes were still running? Services like apache can be restarted, and if you're really lucky then the package manager will know to restart the service after installing a new version. But how confident are you that everything is covered?

At least if you reboot you can be pretty sure that only the new code is running. It's a crude but effective method.

Re:Doesn't matter

[calebt3]

I am not sure how updating kernel works, though. Pretty much the same way, but you need to reboot in order to start using the new kernel.

Re:Doesn't matter

[Ahnteis]

99% of PCs are NOT:
1) Turned on
AND
2) Connected to the internet
at the ANY one time. It doesn't matter if it's 1 packet or 150 packets if the computer is off or not currently connected.

Re:Doesn't matter

[Schraegstrichpunkt]

However, would such a scheme be compatible with free software? Under the GPL, would a Linux distributor be permitted to send out encrypted binary patches and only reveal the decryption key later?

Why not? The distribution isn't complete until the key is published. I don't think a ciphertext would count as a creative work on its own. It certainly doesn't violate the spirit of the GPL.

Of course, there might be issues with distributing only binaries (encrypted or not) without complete corresponding source code (or the requisite written offer), but that's a different question.

If you distributed binaries in cleartext, but encrypted the corresponding source code, then you might have a problem.

Re:Doesn't matter

1/4.

It(+)'s not that simple. My parent(-)'s turn their computer on maybe twice a week. Other(-)'s don(ok)'t have constant net connections.

Re:Doesn't matter

Its not that simple. My parent's turn their computer on maybe twice a week. Other's don't have constant net connections.

He was referring to those 3. One was an error of omission, but an error nonetheless. You're 1 for 4.

Re:Doesn't matter

This again comes back to Microsoft not supporting standards.

If Microsoft simply supported rfc 3514, then anyone requesting the patch for nefarious purposes could be prevented from receiving it or be given a bogus version.

Re:Doesn't matter

init 1

Re:Doesn't matter

[Deanalator]

A large number of different operating systems? You do understand that what this means is that no matter what new vulnerabilities are discovered, something of yours can get hit. This is bad.

The proper solution is to minimise attack surface. Run minimal services that expose minimal resources.

Furthermore, onion analogies only work in cartoons. The problem with "layered security" is that it implies that more layers is always better. Honeypots, complex email scanners, and IDS can be helpful in the right situation, but also give the attacker much more to hit.

Re:Doesn't matter

[darkmeridian]

Patching all the systems in the world in one shot would be terrible if the patch was defective and rendered everything useless, wouldn't it? Some enterprises do not update their systems until enough time has passed that they are pretty certain that the update is not going to kill their systems. If you patch simultaneously, there wouldn't be any guinea pigs to warn of bad updates.

Re:Doesn't matter

[Vellmont]

are you 100% sure you're not still running some vulnerable code?

If I've restarted the server process, yes.

What if bash had a vulnerability, and you installed the new version but old bash processes were still running?

I'd kill all bash processes.

if you're really lucky then the package manager will know to restart the service after installing a new version.

That's been quite standard for a long time. I know Redhat includes that in their RHEL distribution. So I wouldn't exactly call that "really lucky"

But how confident are you that everything is covered?

Unless it's something critical like a shared library vulnerability, very confident. In the case of a shared lib, it might be easier to just reboot the machine than restarting all the various processes. But at least you have a choice in the matter, which 9/10 of the time you simply don't with Windows.

Re:Doesn't matter

[Leiterfluid]

1/4, actually.
Its should have been It's
parent's should have been parents.
Other's should have been Others.
don't is correct.

Re:Doesn't matter

[Aram+Fingal]

If you encrypt with a new salt value each time an update is performed, that makes the process much more difficult to work around.

Re:Doesn't matter

[Sancho]

Yes, it's just an architectural difference. I don't know why they chose to do it this way--honestly, I can't think of any significant advantages. The main one is that you would always know without a doubt that the image on disk is the image in use.

Re:Doesn't matter

[LordSnooty]

Perhaps the OS could prevent 'full' access to the network whilst critical patches are outstanding.

Re:Doesn't matter

[MrKahuna]

Yeah, that might work in a controlled environment. However, doing this in the home environment gets very difficult to the point of being unworkable it seems. It gets particularly tricky if the vulnerable service is in some piece of the networking stack, which in Windows probably includes IE.

Re:Doesn't matter

[Sprinkels]

No, this would be even worse. The effect is that every computer will lose internet access at the same time. Which is much like a inverted DDOS attack. Most people will like this. On the positive side, all internet bandwidth will be available for patch distribution...

Re:Doesn't matter

[vux984]

I admit I didn't rtfa. however if you use bittorrent or a similar system everyone downloading at the same moment would work better and faster. Everyone would have the patches very close to the same time. At the very least that would decrease the amount of time a potential attacker has to attempt this.

Meanwhile asynchronously installing patches throughout your enterprise willy nilly the moment they show up will eventually bring your mission critical systems down.

Increasing security at the expense of stability? That's going to be a hard sell to any competent IT department.

Re:Doesn't matter

[Sprinkels]

Guess I should have used that preview button. Obviously it should be read as most people will not like this.

Re:Doesn't matter

[Digital_Quartz]

This is an interesting problem, although perhaps ultimately not worth solving. Suppose we release an encrypted patch, and then the key a week later. If you can download the patch when your machine is turned on at any point during the week, then if your machine is not on when the key is released, your vulnerability window is from the time you next turn on your computer to the time you get the key, which should be quite short. The likelihood of a botnet finding your machine in that window is small (and, for those of us behind firewalls, the odds of us going out into the internet and finding malicious content during that period is much smaller).

If you DID want to solve it though, how? This is what comes immediately to mind for me; imagine that when I first turn on my computer, my computer connects to my firewall and says "Hey firewall, I want access to the internet, but first, do you have any patches for me?" If the firewall does, it sends the keys and/or patches to the machine, and doesn't let the machine onto the network until those patches are installed.

A little tricky to implement and make compatible with existing applications. Perhaps have the OS present the interface as down to user-space while this negotiation is going on?

You still need a firewall which is on all the time (and/or a firewall with no vulnerabilities). You could move this functionality up to the ISP level, assuming you trust your ISP.

As I said at the beginning, perhaps not worth the money and effort to implement, given the very small hole it is patching.

Re:Doesn't matter

[poot_rootbeer]

Distribute an encrypted patch, and then once all clients have downloaded it reveal the key, which is short and can be sent in a single network packet.

How would one determine that "all" clients had finished downloading the encrypted patch?

Couldn't I prevent the patch from ever being applied anywhere in the world by spoofing a client which keeps reporting "haven't finished downloading it yet..." back to the central authority forever?

Re:Doesn't matter

[Ed+Avis]

I'd kill all bash processes.

Right, and you religiously do this every time after the automated update runs? And so do all other Linux users?

[auto-restarting a service after installing an update]

That's been quite standard for a long time.

For server programs like Apache, maybe. It depends on the rpm spec file. But certainly not for bash, or perl, or X11, or many other things that might have a security bug. As I said, it's mostly a question of luck.

I'm not saying that forcing a reboot is always better - certainly I myself don't reboot my Linux box after installing updates - just pointing out that it may be necessary if you have your paranoia level set to high. Which might be the most appropriate setting, in the world of Windows and botnets.

Re:Doesn't matter

[RiotingPacifist]

No it doesnt hes got around all the encryption by taking the end points, no encryption can help here.

end - start = patch

As he pointed out the only way to keep the patch safe is to encyrpt the program and hide the keys.

Re:Doesn't matter

[sharkey]

Everyone except for Comcast customers, anyway.

Re:Doesn't matter

Haha. oh crap! I am a comcast customer. :(

Re:Doesn't matter

[RiotingPacifist]

The same reason that under ubuntu, an upgrade to x will tell you to reboot, if you start the system up clean, there's less chance of something going wrong (actually theres the same chance, but there's a chance that it will fix itself)

Im not sure how modular windows is, under linux, only a kernel upgrade actually requires a reboot, It doesn't make much of a difference unless your doing it manually tho, the OS cant just reboot the networking stack without taking out all programs attached to it, which is worse than a reboot, because youve probably got the severs setup to work right after a boot, but they you dont prepare them for a netowrking stack going down. I do think the best way to deal with the problem would be to be more honest with users, popup a message asking if its ok to reboot the relevant stacks, but that might scare some newbies!

Re:Doesn't matter

If you have a half-way secure machine in the first place, running a good firewall, sandbox, and scum-checker, most attacks would not get into your box or mess it up if it did.
The only reason that the onion is rotten is that there are a bunch of script-kiddies out there with no morals, and no common sense. Oh, yes, and a bunch of criminals and governments willing to pay them to be scum.

Re:Doesn't matter

[atraintocry]

How can there be an advantage of forcing people to wait for security patches? If someone has it downloaded, let them install it right away, rather than artificially increase the length of time they remain vulnerable. And if you come to the (patching) party late, you get what you get. The early patchers won't have anything to worry about.

Especially with free software...the source code's already available, so security through obscurity (or obsfucation) is kind of moot.

Re:Doesn't matter

[atraintocry]

The other part is that, not all Windows updates actually require reboots. There's actually a few that don't :)

Re:Doesn't matter

[The+MAZZTer]

But you can't get exploited when your computer is off, and very rarely when you're not hooked up to the 'net.

Re:Doesn't matter

Encrypting the patch would be completely pointless. Anyone could just diff the file, disk, or system directory before and after the patch.

Re:Doesn't matter

[Bazar]

Thats a poorly implemented encryption if it was cracked so easily, and its not obfuscation.

There are plenty of ways to do encryption, ultimately you'd need some form of DRM to make it work. Because at some point, it'd need to be decrypted into memory on the client's machine, and without DRM, there is nothing to stop a 3rd party app from retrieving it from memory.

Obfuscation however could work pretty well, because if they patched not just the exploit, but shuffled everything around in the process, they couldn't just do a diff to find out what they changed, as everything would of changed.

They'd need to create a tool to unobfuscate the differences, and highlight what has been patched.

The problem being it becomes an arms race in the same way DRM is an arms race. Microsoft would have to keep inventing new obfuscating logarithms, and the crackers would have to keep working out how the current logarithm obfuscates.

Not to mention, the potential for obfuscation to introduce bugs could be very problematic.

Re:Doesn't matter

[Vellmont]

Right, and you religiously do this every time after the automated update runs?

I don't recall ever seeing a critical security update in something as innocuous as bash in the last 10 years. But if there was, and it was on a system I gave a shit about, sure.

  And so do all other Linux users?

I'm not "all other linux users". So I can't speak for them. Anyways, I'm not really sure what this has to do with not having to reboot being a hell of lot better than being forced to reboot.

As I said, it's mostly a question of luck.

It's not a question of "luck", it's a question of knowing what the hell you're doing, and what it's going to affect. Sure, if you know NOTHING, it's safer to "just reboot".

just pointing out that it may be necessary if you have your paranoia level set to high.

I've often noted that the less people know, the more they're afraid. Why not just learn the system and understand what you need to do rather than just taking the quick and easy (hard in the long run) of rebooting?

Re:Doesn't matter

[Aliencow]

Well, this is called Network Access Control, or NAP in Windows 2008.

The day my ISP starts controlling wether my machine is "up to date" enough to use it is the day I get a new ISP.

Plus, it would be over-estimating end-users to think they'd get some fancy router because it lets them wait a bit longer before using their computers....

Re:Doesn't matter

[Vellmont]

I don't know why they chose to do it this way

I honestly believe it's a result of the roots of the OS. Windows started out as a single user system. "Just reboot!" was OK because you weren't affecting anyone but the guy in front of the machine.

Re:Doesn't matter

[gmack]

This is actually a good argument for package updates rather than security patches. With a package update several other bugs could have been fixed so it should be at least harder to find out what bugs were exploitable.

Also has the advantage of the first security update moving everything to the latest version instead of needing 30 patches to get there.

Re:Doesn't matter

[gmack]

But the next time they login they could end up exploited before the patch is installed.

Re:Doesn't matter

Actually, NTFS has to be able to support POSIX semantics in order to implement the POSIX subsystem, so Windows has technically been able to do the same thing as *nix for a long, long time.

The reason they don't is probably more a matter of paranoia than anything. It's easier to tell people to reboot than expect them to actually know what's going on in their computer.

For example, if I install a game, for goodness sakes, the installers often tell me to reboot at the end, even though it's only installing an isolated user-mode application. There's no reason for it, it's just the application developer being cautious/lazy.

That said, Vista's been trying to reduce the number of reboots caused by updates, but I certainly haven't noticed any difference. :-)

Re:Doesn't matter

[piojo]

Yes, this is what I meant. You described it much better than me, though.

Re:Doesn't matter

[xOneca]

I thought you wanted to say "people who wants inverted DDOS will like this".

Re:Doesn't matter

[Asgerix]

The problem being it becomes an arms race in the same way DRM is an arms race. Microsoft would have to keep inventing new obfuscating logarithms, and the crackers would have to keep working out how the current logarithm obfuscates.

I don't think that word means what you think it means :-)

Re:Doesn't matter

[Ed+Avis]

Read TFA... if some people get the patch before others, they can use it to create a working exploit quickly. To avoid this you have to give the update to everyone at the same moment.

Re:Doesn't matter

The point is that you want to minimize the time between when an attacker first can read the plain text patch and when most client can read (and install) it. Because distributing a 20 byte decryption key is a lot faster than distributing megabytes of patch data, the window of vulnerability can potentially become very small. I implemented a system, FirePatch, almost a year ago that combines this type of two-phase dissemination with a Byzantine fault tolerant peer-to-peer distribution network. You can find the paper at

http://www.iad.cs.uit.no/pubs/firepatch.pdf

No prob...

[Last_Available_Usern]

Just roll the entire i386 directory into every patch.

Re:No prob...

[Sancho]

Because it's not trivial to do a diff to find out which files changed.

It'd take a lot longer, and be only slightly harder, if all of the binaries were encrypted. They've still got to run, though, so the images have to be available in memory.

Re:No prob...

[Vectronic]

First of all, the i386 directory only exists on Windows 2000 and before (or unless upgraded from one of those OS')..unless you meant %systemroot% = i386

Secondly, Windows (and most if not all other OS')..doesnt limit its Update to the Windows directory or sub directories... what about Program Files, Common Files, User Directory...registry...etc.

Thirdly, this doesnt "fix" anything unless you consider increased network traffic a fix...

Generally people who are looking for "whats changed" dont limit their scan to the Modified Date... because the Modified Date can be "Modified"...

Binary comparison (or similar) is what shows the differences, and then disassembly, etc... and with a decent computer you can scan GB's of files for comparisons relatively quickly... so "they" are going to find out what changed anyways...

Re:No prob...

[Last_Available_Usern]

*Sigh* It's become pretty obvious on these forums that intelligence and sarcasm detection are indirectly proportional attributes.

Re:No prob...

[Sancho]

Maybe to some degree, but my fear is that some system developer will read that, think, "Hey, that's a great idea!" and add it to their patch management system.

Re:No prob...

It would still seem that programs with an open source code are more vulnerable to this kind of attack.

But that's almost irrelevant. The attack here is just an automated (though impressive) version of what the botnet builders are doing already: target the people who are indifferent about security updates.

What can be done? I don't know. An outside authority forcing updates would be regarded as the end of internet as we know it. On the other hand, having an ever increasing percent of connected computers joining botnets isn't a sustainable situation either.

Re:No prob...

[dedazo]

You haven't been reading The Daily WTF, I see.

Re:No prob...

[setagllib]

Open source programs tend to release updated binaries immediately after the fix is implemented, so you'll have an updated binary long before an attacker gets around to trying the exploit on your machine. It's specifically delayed deployments like Windows Update which make the problem known but don't provide the solution until much later.

Worst possible way to critize Windows Updates

[pembo13]

There is no good solution to this problem -- that fixing something makes it easier to find old problems. At some point, users need to be responsible enough to apply updates.

Re:Worst possible way to critize Windows Updates

[Last_Available_Usern]

Not really a solution, but more public focus on upcoming vulnerability patches would be helpful. And I don't mean in the sense of *what* the vulnerability is, but moreso that it's coming, and how important it is. As it stands now, everyone is so familiar with "patch tuesday" that's as much an after-thought as a new moon. If we gave each cycle (or at least really important ones) the importance of an eclipse, we might get somewhere. This could be achieved through MS helping us understand the importance of an upcoming release without necessarily divulging all the details of it. When a boss knows the importance of a patch before it's released (even if he doesn't understand *what* it fixes), the IT staff is much less-likely to allow that vulnerability to go unmitigated as their ability to bullshit their way through damage control after-the-fact has gone out the window.

Re:Worst possible way to critize Windows Updates

[Tontoman]

They could encrypt their OS (and patches) with Windows Media DRM. Then it would be illegal to decrypt and backwards-engineer the patches. The RIAA would enforce.

Re:Worst possible way to critize Windows Updates

[evanbd]

If I have it set to auto-update as soon as the update is available, it's hard to argue I'm being irresponsible. If it takes longer to get the update to everyone than it takes the attacker to create a new exploit, that's a problem -- and not one that users can solve.

Re:Worst possible way to critize Windows Updates

[RonnyJ]

The silly thing is, it's even easier to research how vulnerabilities would work on unpatched systems for open-source software - you don't need to examine the patch, you have access to the changes in the source code!

Re:Worst possible way to critize Windows Updates

[corsec67]

The problem with instant auto-update, is that patches that wreck your system get applied instantly.

And then what about updates that need a reboot? Should that be automatic and instant?

This is a very hard problem, with no easy answer aside from "build it with security from the ground up"

Re:Worst possible way to critize Windows Updates

[realthing02]

I think you actually missed the worst part about this summary (not the article...)

From the summary: "Such as Windows Update... can detract from overall security, and should be redesigned."

The ellipse represents 14 pages of information in this sentence. And the Actual PDF doesn't say it detracts from security, but rather that the scheme is insecure. Which is quite a difference. Normally I don't do this, but the quote is really stupid when put the way the contributor or editor put in there. The article was interesting enough on its own accord (automatic patch-exploit generation) without having to throw your own personal cracks in there.

Let's grow up, people.

Re:Worst possible way to critize Windows Updates

[Opportunist]

But remember, in Soviet Russia, law enforces YOU!

In other words, try to enforce something in a country that doesn't care about your problems, since it has its own.

Re:Worst possible way to critize Windows Updates

[evanbd]

Most users turn on auto-update; instant doesn't add any downsides. If you're worried about that, then you need to do your job as a sysadmin, and this wouldn't change anything there either (since you'd have auto-update turned off in either case). Things requiring a reboot would be handled however they are currently -- just with less latency between the patch being available and everyone having it.

You're right, of course, that there is no easy answer.

Re:Worst possible way to critize Windows Updates

[Ahnteis]

Thank you for your post. I'd mod it if I had the points, but failing that, I'll just be glad that we got above level of Digg commentary, if only for a moment.

update this, fuckers

Profitability is key, not security. Think of sysadmins as janitors. We pay you to wipe up the mess. It's not worth our while to invest in systems that don't create a mess as long as janitors are cheap enough to come with their electronic mops and buckets.

And you are.

Sorry.

Re:update this, fuckers

[somersault]

Meh, don't come crying to me when some guy in [insert-evil-country-here] steals your identity, uses it to buy a few Porsche's and setup illegal goat kid porn themed websites in your name. You keep making your messes, I'm happy to make $50000 a year cleaning them up as long as it doesn't happen more than two or three times a year..

Re:update this, fuckers

[Opportunist]

(shrug)

I don't mind being a 70k a year janitor. Dunno if it would be cheaper to just not make a mess, but hey, I certainly won't complain about it. Every time your computer barfs, my cash register jingles.

Re:update this, fuckers

[alx5000]

In my case, I seriously doubt they'd even get a Porsche's seat-belt...

Re:update this, fuckers

and setup illegal goat kid porn themed websites HAH, Kid, goat, that's funny!

Windows bashing aside ...

[utnapistim]

... patch based security is also the model linux uses (as far as I understand).

Furthermore, for Linux access to the unpatched code is also easy to obtain.

Somebody please correct me if I'm mistaken.

Re:Windows bashing aside ...

[Kjella]

Right, in fact this probably indicates that patch tuesday may not be a bad thing because then at least every admin worth his salt knows that's the time to update the systems. With patches coming in almost daily on Linux, you either have constant patch duty or it's a lot more staggered already. That's assuming you actually do something with the patches and don't just auto-apply everything, in which case I guess it doesn't matter. But, let's try to make everything with an anti-microsoft spin shall we?

Re:Windows bashing aside ...

[Craig+Maloney]

That was my understanding as well. There will always be a lag time between discovering and patching a flaw. Unless Microsoft starts using something like satellite technology and distributes a satellite receiver to every user of Windows, you'll always have to deal with lag for getting patches out.

Re:Windows bashing aside ...

[phantomfive]

Kernels are usually distributed as binaries, but in general other software is distributed by source. Of course, different distros do it differently.

However, the fact that you can obtain the code makes no difference, and may even be a hinderance, since an exploit can be created here in as little as a minute just from the binaries.

The major difference here between Windows and Linux is that Windows is a lot more of a mono-culture. In the linux world, there is no guarantee that an exploit will be available the same way. It is also unlikely that two different distributions have the same binaries. In fact, different computers using the same distro can end up with different binaries.

Realistically, an exploit is bad. This research is just a way to make a bad thing worse.

Re:Windows bashing aside ...

... patch based security is also the model linux uses (as far as I understand).

Ugh.. Why are people like you allowed on the internet!

Read the article. Hell, read the damn slashdot summary: "current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update... can detract from overall security, and should be redesigned"

Given: Linux doesn't stagger patch distribution. MS does. Conclusion: There is a weakness in MS patch distribution that doesn't exist in Linux.

Re:Windows bashing aside ...

[Wrath0fb0b]

The OP is correct, Linux updates (at least in the *untu line of distros) are purposefully staggered to avoid hammering the servers. IIRC, every install has a random number associated with it that determines when it checks for and grabs the updates.

As others have said, there's nothing you can do about it except hope that there are multiple layers of security (I suppose compartmentalization and frequent backups help in the remedial sense).

Re:Windows bashing aside ...

[weicco]

How can it be hinderance to have sources where problem exists and where it is fixed? Just run a damn diff of them and there you have it.

Re:Windows bashing aside ...

[setagllib]

Right, because a delay of maybe an hour in automatic updates in Ubuntu is somehow comparable to up to a month for Windows. Patch tuesday isn't weekly, it's monthly. And in Ubuntu, like in any other distribution, you can request a full update and upgrade at *any* time - it's only the automated check which is staggered and very reasonably so.

That's the biggest problem.

[khasim]

The vendor CANNOT depend upon the users/admins patching their systems all the time.

The vendor MUST ship with the minimum number of services running BY DEFAULT and with the minimum rights for those services.

My problem with Microsoft on that is that they did NOT minimize the number of services. They put a software firewall in front of them.

Meanwhile, I can put a vanilla Ubunut workstation on the 'Web without a firewall.

Where's the WellDuh Tag

[techpawn]

Of course there are going to be flaws in this kind of release/patch system. The problem it trying to become savvy enough that you don't need "automatic" updates and can actually patch what needs patched on your system as it needs updated.
I've heard reports of bugs created by patches and patches to fix bugs from patches that only took it back to base version.

Re:Where's the WellDuh Tag

[Bacon+Bits]

Yeah, exactly. If this is a problem with Windows, then it's a worse problem with Linux!

Not only can you reverse engineer the binary, but you have access to the source code and it's modifications. If you read bug trackers or dev mailing lists, you can even pick up security vulnerabilities before the patch is even released just by looking at bugs and diff files.

You can't put the toothpaste back in the tube, people. Arguing that that means you shouldn't brush your teeth is ridiculous.

Re:Where's the WellDuh Tag

[Dr_Barnowl]

It's less of a problem with Linux, even if, as you say, having access to the source makes it easier to craft your exploit.

First, GNU/Linux users tend to be much more security aware than your average Windows user. Let's assume that will change as the market share increases, but for now, it's true.

Second, the design of GNU/Linux operating systems is inherently more secure. Fewer things run in ring 0. It's harder to get users to run anything, as you specifically need to set the executable bit.

Third, the very thing that makes it easier to devise exploits for GNU/Linux ..... makes it easier to devise exploits - and fix them, sometimes even before they are a part of the OS.

Fourth, GNU/Linux systems are not all the same. As other people point out, the reason that Windows gets attacked, is that Windows has 90% of the desktop share. Even if everyone was running a GNU/Linux distribution, they wouldn't all be running the same OS.

Fifth, out of the box, Windows runs many more services than GNU/Linux, especially network services. This is the reason for the "13 seconds" pwnage time typically quoted for an unpatched Windows machine connected to the naked network. Some of these services cannot be turned off without the OS ceasing to function properly. It's best to keep Windows behind a firewall - but the very segment of the public that is most vulnerable is the segment least likely to be behind one.

Sixth (and on the same kind of topic), Windows installation disks are typically not re-mastered and printed except for major service packs, and you can't typically download a burn a new install disk, even after service packs become available. The service packs are large, so they offer a large window for infection while they download.

(perhaps Windows could do with a "patch" mode, where it only allows network connections to MS patch servers with the appropriate certificates, to be activated whenever there are outstanding patches and it's naked on the internet).

GNU/Linux distributions are often in a similar boat though ; but their major releases are usually free to download and burn, so you always have the most recent "major" install disk. Many distributions have utilities that will prepare you an "all-in-one" up to date installer. Such things are also available for Windows, but again, on average, much less likely to be used.

Re:Where's the WellDuh Tag

[Bacon+Bits]

While all true, those are all straw men.

The problem as asserted by TFA is that the patch process of Windows -- namely, Windows Update -- was inherently insecure because the patch can be reverse engineered with public information to discover the vulnerability. This truth is that this is neither a new problem, nor a problem unique to Windows, nor a problem with a realistic solution (none of the suggestions are reasonable, as other users have posted). Second, since the problem as asserted by TFA

I did not argue that Linux was less secure. I argued that the assertion of TFA is more appropriately applied to Linux because it is more severe there. With Windows, you can't reverse engineer until the patch is available to the end user. With Linux, you can reverse engineer with public information before the patch has even been committed to the code repository. That's before the code has been checked, before the revision has been compiled, before the news has been released, before your distribution updates their repository, and thus before it's readily available to the end user (downloading source code, running a diff, and recompiling is far, far from "readily available"). So unless you as an end user are also on every dev list and reading every bug tracker for every service on every Linux system in your Enterprise, you're not going to get security updates anywhere near as fast as hackers can reverse engineer them.

This doesn't mean that Windows is more secure than Linux. It means that security through obscurity works when the exploits are predicated on the system being transparent, which is exactly what this "problem" is.

My point is that this is a non-issue and an irrelevant problem in as much as it's an artifact of the system that can't really be corrected.

Re:Where's the WellDuh Tag

Fifth, out of the box, Windows runs many more services than GNU/Linux, especially network services.

Really, I didn't know that there were many network services available in Windows, at least not the home versions.

M$ need to stop haveing a fixed update day and go

[Joe+The+Dragon]

M$ need to stop having a fixed update day and go back to having them come out when they are ready and not waiting for the next patch day.

you got it wrong

[yanyan]

5) "???"

Instant patching is never going to happen.

[Vellmont]

If it's possible to generate an exploit that quickly, we need to completely abandon the current "patch it and hope no one broke in" approach to security. It's never been a good approach, but if any idiot can generate exploits via a point-and-click program, that's obviously a big problem. This problem isn't limited to Windows, and most operating systems aren't patched within even a few hours of a patch release. There's good reasons for this, and bad ones. But no one really wants to trust their critical systems to be patched (and possibly go down and become unworkable) to an instant patch system.

The fundamental problem here is that a lot of security depends on single points of failure. A real security system relies on the "defense in depth" approach.

Nope. That's a logic error.

[khasim]

Nonetheless, outside of these two cases, it seems like Microsoft is being targeting because, well, they're Microsoft. They have a huge market share and a really good update management system, so they're a big target for something like this. That coupled with their history of vulnerabilities, and it's easy to understand why they were picked over, say, Apple.

Nope. If that were correct, then Apple would see 5% (or so) of the "virus" development out there.

There are millions of Macs out there. If cracking them was that easy, they'd be cracked. There's just too much money there even if the Windows market is almost 20x larger.

Re:Nope. That's a logic error.

[Sancho]

Did you misunderstand me?

It's easy to understand why the researchers picked Microsoft's Windows Update over Apple's Software Update. We're not talking about exploits, we're talking about the paper.

Re:Nope. That's a logic error.

Nope. If that were correct, then Apple would see 5% (or so) of the "virus" development out there. It doesn't work that way. Malware today is a profit driven business. As of now, it doesn't make business sense to develop malware for OSX.

Re:Nope. That's a logic error.

[Digital_Quartz]

The "market" for malware consists of customers who want to buy computer cycles for shady purposes. The Mac users certainly aren't clamoring for malware, and the paying customers in this "industry" probably do not really care whether their spam is being delivered by Macs or PCs, even if the Mac ads are very cute. So, I imagine there's really very little money in Mac malware.

Re:Nope. That's a logic error.

[RiotingPacifist]

Nope. If that were correct, then Apple would see 5% (or so) of the "virus" development out there. You have to put alot of work into making an exploit, do you choose to put that work into something that gives you 90% or 5% returns. Its not like if there were 100 hackers and they all decide to pick on 100 machines at random, no they all try to infect the most machines possible (you need to infect 6% of Windows machines to have the same effect as writing an exploit so good it infects every mac machine), and that means all 100 hackers will go for windows!

While Apple may be more secure, until you get 50% market share your not going to get 50% of the effort put into attacking you.

Re:Nope. That's a logic error.

[RiotingPacifist]

It doesn't work that way. Malware today is a profit driven business. As of now, it doesn't make business sense to develop for OSX. fix that for you :P

Re:Nope. That's a logic error.

Why do people still believe that?

Apple Mac is very luxurious and elitist product
I fathom a educated guess that the 5% user base has a lot more money per user to flash around towards a good scam.
Plus most Apple users due to their perceived perception of being safe are gullible enough to allow and ignore any warning about exploits.

Re:Nope. That's a logic error.

[RiotingPacifist]

do the maths. assuming that mac users are ½ as careful (or twice as stupid) they would need to scam 9 times as much money out of every mac user as a windows user. We know macs are expensive but you dont need to be 9 times as rich to own one.

Requires administrative privileges to apply

[ClubStew]

This research seems to miss one critical point: you have to have administrative privileges to apply the vulnerability-generating patch. That's not a success crack, since if you already have administrative privilees you own the machine. It's no different than with linux: you have root, you win. Michael Howard et. al. have been over this countless times through blogs, books, and whitepapers. Just because you can identify or even generate a vulnerability doesn't mean you can exploit it.

Now, granted, when users run as admins this does pose a problem which is one reason - and obviously not the only, based on comments made by Microsofties that have appeared as stories here on /. - that UAC exists. Not the prompts, but more to the point that administrators do even run with a full privileged token: just a normal user token with the privilege to escalate with a simple yes/no dialog.

On top of all this, IIRC it was IT administrators that wanted a consistent release schedule to avoid a fire drill of internal testing every time a patch came out.

Re:Requires administrative privileges to apply

[Sancho]

I think you really missed the point. This has nothing to do with being admin on a vulnerable machine or "generating a vulnerability."

The point is that on my own machine, I can examine the patch and the old file, and then generate an exploit. If the vulnerability was in a running service (say, the firewall code or the Server service), then I can create a worm which will propagate through the network.

Windows Update Can Hurt Security

[onefriedrice]

Wow. Who knew?

How is this limited to Windows?

[analog_line]

Couldn't this process (modified of course) do the same thing to any update for any software at all?

How exactly is this news? I mean, I should update my software when there's a new patch anyway, but now that THIS has been developed I...need to update my software when there's a new patch... Automating it is a pretty neat trick, and it pretty much destroys any argument for security through obscurity, since it means you couldn't patch any hole to maintain the obscurity, but it's not like security through obscurity in the computer software realm has that amazing a track record in any case.

From the PDF:

[TripMaster+Monkey]

The PDF outlines three methods of alleviating the problem of staggered patch distribution:

1) Patch Obfuscation: basically an attempt to hide exactly what the patch fixes by padding out the patch with a lot of lines of nonsense. While this might prove effective, it would only be effective until an improved algorithm for discerning the true reason for the patch is found, and in the meantime, it would create its own set of problems, particularly if the level of obfuscation required balloons the size of the patch to an unmanageable degree.

2) Patch Encryption: basically distributing the patch in an encrypted format, waiting until it is reasonable to assume that everyone has the patch, and then transmitting a decryption key to decrypt and apply the patch more or less "simultaneously". Problems: this only pushes the problem back one level; meaning the same method of exploitation is just as possible, while this also creates an unacceptable time lag for patches to be applied, which hackers who write exploits the old-fashioned way can exploit to their considerable benefit.

3) Fast Patch Distribution: basically leveraging technologies like P2P to insure that patches are rolled out...well...fast. Problems again include off-line hoists, as well as hosts who have the misfortune of being on ISPs that take a dim view of P2P.

In summary, none of the methods outlined have much of a chance to combat this new threat.

Re:From the PDF:

[Seth+Kriticos]

Fast Patch Distribution: basically leveraging technologies like P2P to insure that patches are rolled out...well...fast. Problems again include off-line hoists, as well as hosts who have the misfortune of being on ISPs that take a dim view of P2P.

Why not use the bot nets for this kind of stuff? I mean, previous article today already showed, that they have a quite effective way of patching arbitrary systems and distribute mass content.

Re:From the PDF:

[Lodragandraoidh]

There is a fourth choice -

security through obscurity - don't provide patches at all, and never release the source code. This will make it much harder for script kiddies.

It should be noted that Microsoft Research is aligned with the CMU Computer Science department - vis a vis the Microsoft Carnegie Mellon Center for Computational Thinking. That is either ironic, or obvious depending on your viewpoint (either it can fuel Microsoft to do a more thorough job of releasing early, often and being more transparent, or more likely, it will confirm Microsoft's assertion that security through obscurity is the way to - continue - going).

Re:From the PDF:

Problems again include off-line hoists

I hate when my hoist goes offline. How else am I supposed to get out of bed to get another bag of Cheetos?

Re:From the PDF:

Sounds like a case for Code Blue. Write a virus with a 30 day timeout that exploits the patch to spread itself and patch the problem.

Re:From the PDF:

[bigHeadSmallBrains]

Just for the sake of discussion, do you think this would work?

- Server (S) has a new patch.
- S sends tokens containing some form of authorization scheme to clients (C). These tokens contain the type of vulnerability, i.e. the type of access needed to the computer in order to exploit it.
- Upon receiving token from S, C checks if tokens are authorized. If yes, it gets paranoid, blocking access to everything specified in the token entirely. This can only be overridden by downloading (or by the local superuser for each single time a blocked access is required, otherwise this would probably be too annoying...)
- C downloads updates from S and releases access.

Problem is much bigger than article suggests

Here where I work, Windows Updates brings some of our older servers to a crawl, and sometimes even knocks out our network for our remote branches. Thankfully, I'm not one of the Windows guys here. :) Our AS/400 (iSeries) runs so much more smoothly.

Posting anonymously obviously to protect the innocent.

No fix feasible

[Todd+Knarr]

Unfortunately, no fix is feasible. The basic problem is twofold:

• If you tell someone how to fix a problem, you tell them what the problem was.
• It's not possible to push updates to all affected systems simultaneously.

That the first is true should be obvious if you think about it for a minute. As for the second, that comes from the fact that the affected systems are owned by different entities with different requirements and different environments. A fix for a problem affects more than just the fixed software, especially when the fix is in the operating system on which other business-critical software runs. Any fix has to be checked for compatibility with that entity's specific environment, this checking can't start until after the entity has gotten the fix, and everybody's going to take a different amount of time to check and get clearance to deploy.

The only "fix" would be a mandatory push to all systems at one time, and that won't be accepted by the people who own the systems unless Microsoft or someone else accepts complete 100% liability for all costs associated with any failure. And I just don't see that happening.

So what would the new system look like?

[evanbd]

What would the new system look like? The best I have so far is something that distributes the patch, encrypted, and then releases the key some time later when many systems already have the patch downloaded and can install it immediately. Of course, I'm not sure how much that improves over just using bittorrent to distribute the whole thing with much higher aggregate bandwidth.

This article is dumb.

[Mongoose+Disciple]

Not to be inflammatory, but it really is.

Essentially, these people wrote a paper which says that hackers can analyze Windows Updates and figure out how to attack systems that aren't patched yet thereby. It goes into theory and proofs of that. Thanks, everyone else knew this about Windows Update years ago, probably for about as long as there's been a Windows Update.

It then proposes some solutions which are all, on the whole, worse than the status quo for various reasons. For example, forcing all Windows machines, whether they're turned on or connected to the internet or not, to patch at the very same instant is not realistic.

They should've called this thing: "Windows Update has problems. Magic can fix them."

Re:This article is dumb.

[TripMaster+Monkey]

Didn't actually RTFA, did you?

If you had, you'd know that this paper did not say that "hackers can analyze Windows Updates and figure out how to attack systems that aren't patched yet thereby". What it did say was that it is possible to write software that can analyze the update for you and churn out an exploit for the security issue identified thereby...in a matter of seconds.

Re:This article is dumb.

[Mongoose+Disciple]

Right. Perhaps I summed up that part of the article too briefly.

Regardless, none of their proposed solutions are viable.

Comment removed

[account_deleted]

Comment removed based on user account deletion

There is a solution...

[thatskinnyguy]

...test every patch in a VM or a machine with a similar hardware set. Period! Turn off Automatic Updates and tell it to not bother you or the user because it's turned off.

Well you were not very clear.

[khasim]

And if what you say now is correct, then there's no reason why the research team could not have included Mac updates and Ubuntu updates.

I do not see them picking Windows because it is Windows.

Staggered patch distribution is VERY imporant

[Thornburg]

You can't have everyone everywhere past patched at the exact same time, and even if it were possible, it is not a good idea.

Let's suppose that someone did come up with a good way to distribute patches to the whole world instantaneously & simultaneously.

Now let's suppose that Employee X at Microsoft accidentally put the wrong version of the latest patch into the system, and that this version of the patch fixes the targeted problem, but breaks the MS TCP/IP stack in the process.

What would happen if every single Windows box in the entire world simultaneously lost all network connectivity?

Scenario 2: Employee Y at Microsoft deliberately puts a maliciously edited patch into this instant distribution system, and now has a rootkit on every windows box in the whole world?

Somehow I think it is a good thing that some victims... I mean people get patches before other people do.

Re:Staggered patch distribution is VERY imporant

[TripMaster+Monkey]

What would happen if every single Windows box in the entire world simultaneously lost all network connectivity?

Something like this, I would imagine... ^_^

Windows can hurt security

[Akita24]

There, fixed that for you. (Sorry, couldn't resist)

Black Tuesday Has Value

[FurtiveGlancer]

Black Tuesday is rather important to many organizations as it gives them a target for workload planning on patch integration, testing and roll-out. Overtime can be good. ;) The fixed day is not the issue. IMHO, poor coding discipline is. http://www.sans.org/gssp/SANS-SSI%20C%20Blueprint%20(9-07).pdf

Another problem with strategy 2

[symbolset]

2) Patch Encryption: basically distributing the patch in an encrypted format, waiting until it is reasonable to assume that everyone has the patch, and then transmitting a decryption key to decrypt and apply the patch more or less "simultaneously". Problems: this only pushes the problem back one level; meaning the same method of exploitation is just as possible, while this also creates an unacceptable time lag for patches to be applied, which hackers who write exploits the old-fashioned way can exploit to their considerable benefit.

The result of a bad patch: Global instant borkensystem. With option 3 it's similar -- Fast Global Hosenboxen. Nobody would consider option 1. It too obviously won't work.

Nope... it's time for the Bazaar.

Automatically deriving exploits by theorem proving

[Animats]

This is fascinating. As someone who's worked with automatic theorem proving and proof of correctness techniques, I'd never thought of using them in this way.

What they're doing works like a proof of correctness system in reverse. They difference executables before and after the patch (which in itself is impressive), then, having isolated the patch, analyze it automatically. Security patches usually consist of adding a test which constrains the valid inputs at some point. So they use a symbolic decision procedure, which is part of a theorem prover, to work back through the code and automatically derive a set of inputs that would be caught by the new test.

This is more than just an attack on Windows Update. It's true automated exploit generation.

This is potentially applicable to any security-critical code that changes over time. One could, for example, have something that watched check-ins to the Linux kernel tree and developed new exploits to current stable releases from them.

Ok, it's bad. Got any better ideas?

[Opportunist]

If you have a patch, you can diff the original and the patched file and find out what got fixed. No secret here.

So how can you close the gap between fixing and exploiting? That's nothing MS could fix. You have to. Patch early, patch often.

If any message is contained here, it's that if there is a patch out and you didn't use it, you're extremely vulnerable. That's pretty much it, nothing really new here.

The Solution is Simple....

[tylerni7]

...just do it right the first time. Alright, so maybe that's not quite feasible, but that is because you can't possibly fix something like this completely. If you have bugs in your code, they can be found one way or another. Simple as that.

2 points

[v(*_*)vvvv]

1) Isn't this an old problem? Not only is this old, but it applies to any computer system, so to single out Windows Update seems naive (as others have said).

2) I think we are forgetting that the exploits still need to be distributed, and the article refers to worms, but how is this different from any other worm/virus?

Smarter viruses will attack weaknesses that are yet widely known or patched, so those that use exploits based on public patches are 1) stupider and 2) more predictable.

So this is less of an "update how" problem, and rather more of an antivirus problem. The previous might be impossible to solve, but the latter we have solutions for.

Liability problem?

[bkaul01]

And what happens when someone who has downloaded the encrypted patch has his system compromised because you're waiting for some idiot who hasn't to do so before you'll release the key that unlocks it? In a worst case scenario, you could end up facing a class action suit for not enabling the patch. I don't know if such a suit could be successful, but I'd bet someone would try it. At present, if someone has failed to update his system with the latest patch, it's not Microsoft's fault. Under this system, if Microsoft was refusing to actually make the patch available to one until others have it, that poses ethical and legal questions. I'm not a lawyer, and can't say what the legal answer would be, but I'm sure the question would arise.

Re:Liability problem?

[Ed+Avis]

Legally I doubt the situation is any different from knowing about a vulnerability and having it fixed internally, but not bothering to announce the vulnerability or release the fix until it's convenient for you (which happens all the time in the proprietary software world).

I didn't suggest waiting for every last user; in any case nobody has a record of how many Windows users there are. Just waiting say three days, which should be long enough for 99% of Internet-connected machines to download the encrypted update, and then releasing the key so they can all update at once.

MS is one step ahead

[aztektum]

Microsoft thought about this. In the latest update, they've decided that to improve security, they'll disable all input devices on your computer.

By making a users computer useless, the goal is to get fewer people using computers, thereby reducing security problems.

So what they're really saying is...

[imyy4u2]

don't release patches, because then people will be able to reverse-engineer the patch. Great idea.

Which just shifts the problem.

[Ungrounded+Lightning]

Or distribute encrypted patches over the course of a day, then when you publish the key everyone can update

Which shifts the problem from distributing the update to distributing the key.

Of course this does have another advantage: Distributing the encrypted update also distributes notification that there WILL be a key, and can tell the users when. Then it becomes a race to get the key and apply the patch before the bad guys can get the key, generate, and deploy an exploit.

And the downside: The bad guys also know the patch is coming, and when. So they can use their existing botnet(s) to grab a key as soon as possible, then DDOS the key distribution mechanism while they generate and deploy the exploit. This makes things WORSE: A much larger fraction of the machines are vulnerable when the exploit deploys.

Still worse: If the bad guys crack the encryption, or manage to break in and grab the key early, they get to automatically generate and deploy an exploit while NOBODY has the fix. Oops!

Ditto even if they don't crack the patch - but the patches exposes that a vulnerability exists and perhaps what module has it, and they find and exploit the vulnerability before the key deploys.

= = = =

In a battle between weapons and armor, weapons eventually win.

Re:Which just shifts the problem.

[Ed+Avis]

The idea is that because the key is so short (if you used AES encryption, for example, it would only need to be 32 bytes long) it could be distributed very quickly and would be hard for a DDOS to stop.

The bad guys can't crack a symmetric cipher like AES (or if they can, we are all in much worse trouble than we thought). Similarly they can't break in to servers belonging to Microsoft to grab the key early (or if they can, Microsoft and its users are all in much worse trouble than we thought).

Re:Which just shifts the problem.

[mysidia]

To prevent unpatched (non-internet-connected) systems from being a danger; 'WGA notification' and 'Windows activation' should be expanded to 'Patch notification' and 'Patch activation'. Failure to activate the patch in X days will result in special restrictions imposed on network connectivity.

I.E. All operations disabled except for patch download. Meaning you can reconnect to the internet, but you must download and activate the patch, before Windows will re-enable surfing.

The key distribution mechanism can be designed to be resilient. Use 128-bit keys -- just large enough to make cracking hard. Due to the small size of the keys, this should be very easy. Give every patch a unique ID and put something like a SHA256 hash of the legitimate key in the header (so any system seeing the key can easily pick it up and inexpensively see if it is the legitimate key, and which version of the patchset it unlocks)

MS could utilize an ad-hoc peer to peer network. Windows systems will share the key. Once a machine knows the key it will transmit to some of its buddies in the form of a datagram.

The key should actually decrypt a file that contains the _real_ encryption key for the relevant patch, as well as the keys to all prior-released patches. That way the latest 'key' is all you ever need, when applying many updates later on (for example, to a newly installed system).

Utilize local-subnet broadcast or a special IPv6 multicast address for each specific patch. When a windows box is waiting for the key, it will join that multicast group. When a windows box on a LAN finally gets the latest patchset key, it will send the key out as a small packet to that multicast address.

Utilize default-domain records.. I.E. ISPs can publish the key using a DNS TXT record ._windows.defaultdomain IN TXT "key here"

Which just shifts the problem.

[Ungrounded+Lightning]

Distribute an encrypted patch, and then once all clients have downloaded it reveal the key, which is short and can be sent in a single network packet.

Which shifts the problem from distributing the update to distributing the key.

Of course this does have another advantage: Distributing the encrypted update also distributes notification that there WILL be a key, and can tell the users when. Then it becomes a race to get the key and apply the patch before the bad guys can get the key, generate, and deploy an exploit.

And the downside: The bad guys also know the patch is coming, and when. So they can use their existing botnet(s) to grab a key as soon as possible, then (or simultaneously) DDOS the key distribution mechanism while they generate and deploy the exploit. This makes things WORSE: A much larger fraction of the machines are vulnerable when the exploit deploys.

Still worse: If the bad guys crack the encryption, or manage to break in and grab the key early, they get to automatically generate and deploy an exploit while NOBODY has the fix. Oops!

Ditto even if they don't crack the patch - but the patche exposes that a vulnerability exists and perhaps what module has it, and they find and exploit the vulnerability before the key deploys.

= = = =

In a battle between weapons and armor, weapons eventually win.

Stagger patch distribution over long time periods,

[JavaManJim]

As the article suggests in its last paragraph. Windows Update needs to rethink itself. Perhaps a patch CD. I have many problems installing updates. LARGE UPDATE DOWNLOADS TINY PATCH APPLICATION ON SHUTDOWN Use my XP SP2 system as an example. It has about 84 updates that download every single day slogging up my first fifteen minutes of work while my PC downloads every patch. Then only one dinky patch MIGHT get applied when I shut down. DOWNLOADS ALREADY APPLIED PATCHES. Another example is unintelligent update download. I manually downloaded and applied the time zone patch (KB946723). But MS keeps downloading and trying to apply this patch. EXPRESS INSTALL (NOW) FAILS MISERABLY. I just now tried to install 88 updates with nothing else going on on my PC. Every single update failed. Is this a way to run updates? This reflects rather poorly on Microsoft. Jim

Which only works for small messes

[Ungrounded+Lightning]

Think of sysadmins as janitors. We pay you to wipe up the mess. It's not worth our while to invest in systems that don't create a mess as long as janitors are cheap enough to come with their electronic mops and buckets.

That works for small messes.

It doesn't work for somebody getting hold of the company's trade secrets, client list, bidding information, road map, and headhuntable employee names and pay scale.

It doesn't work for somebody cracking the information on the company accounts and transferring the cash reserves to themselves via untraceable paths.

It doesn't work for somebody destroying or corrupting the IT infrastructure - especially the databases - and taking the company out of business for days or forever, causing key employees to quit or be fired, etc.

It doesn't work for somebody corrupting industrial process control infrastructure and literally destroy plants and kill employees, or cause the company to build and ship defective products.

I could go on.

Cleaning up IT graffiti is one thing. Cleaning up IT nuclear strikes is quite another.

IMHO any corporate IT exec who treats malware like graffiti, rather than an early warning of something more serious, is negligent in his fiduciary duty to the shareholders and perhaps criminally negligent in his duty to protect the lives and health of the employees. (Pity that most of 'em do treat the threat in this way. B-( )

Re:Which only works for small messes

Your post reminded me of this. Unfortunately it seems that there is no system that doesn't require janitors. Or maybe it seems to not require janitors, but really it's so obscure that it requires trained mechanics to keep it running instead of just janitors to clean up after the occassional spill.

dom

It's called "IP Multicast"

[Ungrounded+Lightning]

Unless Microsoft starts using something like satellite technology and distributes a satellite receiver to every user of Windows, you'll always have to deal with lag for getting patches out.

It's called "IP Multicast".

Does YOUR ISP support it?

2 and 3 are also vulnerable to countermeasures

[Ungrounded+Lightning]

2) Patch Encryption: basically distributing the patch in an encrypted format, waiting until it is reasonable to assume that everyone has the patch, and then transmitting a decryption key to decrypt and apply the patch more or less "simultaneously".

This can make things worse:

The distribution of the patch alerts the bad guys to the existence of the bug.

  - They can use their botnet infrastructure to get the key early and DDoS the key servers (possibly simultaneously, using the botnet to grab the key through the DDoS leaks). This may end up with a larger unpatched population when they deploy their exploit.

  - If they can crack the encryption or break into the distribution mechanism and grab the key early, they can deploy the exploit while NOBODY is patched.

  - If the existence of the patch alerts them to the existence and possibly to the location of a vulnerability, they may find it by other means before the key is released, again deploying an exploit while the whole population is unpatched.

3) Fast Patch Distribution: basically leveraging technologies like P2P to insure that patches are rolled out...well...fast.

This just changes the timescale and is subject to DoSing as well. It also (as others have pointed out) opens the opportunity to poison the torrent/whatever with fake or corrupted versions of the patch - installing their own back door if possible, delaying or halting the updating to widen their exploit window in any case.

What's important about this:

[Ungrounded+Lightning]

What's important about this is that it can quickly and automatically generate exploits given only OBJECT code - faster even than a good programmer could do it from source.

This negates the claim that hiding the source code increases security.

Re:What's important about this:

[remahl]

This negates the claim that hiding the source code increases security. Static analysis against code diffs would likely have even higher accuracy and similar performance characteristics. It is easier to parse and understand the logic of source code than of optimized machine code. This is true for programs as well as for humans.

Re:What's important about this:

[xOneca]

M$ doesn't hide the code for security, they hide because, instead, all programmers would laugh at the stupidities their moron programmers had done.

Re:What's important about this:

this also negates the point to have source actually helps to find vulnerability....
since an automatic process can find them {and basically it kind of always worked like that, you just send shitload of data in a pattern till it bugs then you analyse, it is way faster than to read the code}

Re:What's important about this:

"I can't reach those grapes, therefore they must taste terrible."

You do know that Microsoft has partnership programs with quite a few universities and a number of governments where they have access to the Windows source code for educational purposes, right?

Re:What's important about this:

[Eivind+Eklund]

Exploits deal with stack layouts and similar; they're necessary to do against object code. The only advantage of having source code is that it allows you to see more of the context, and more easily find the errors.

It's impressive

[bmajik]

But based on my reading of the paper, it isn't 100% there. You don't get "sploit.exe" dumped onto your disk when the thing is all done. Their stuff only works backwards to a certain point.

For instance, when they come up with the exploit for WMF reader vulnerability, they're not making you a new WMF file (as I understand, anyway).

One thing that interested me is the model they invented. The binary differencing was off-the-shelf stuff from eEye. But their model of the x86 machine (cpu, instruction side effects, registers, and memory) is new, and that seems like something that could have been written previously.. I'm surprised they needed to do this. They also define a space of functions that examine the model to determine if badness has happened, for each specific kindof badness they're interested in, i.e. return address changes during execution of call.

They also appear to require execution traces of P (or P') to run under a machine monitor; I don't think from the instructions in P they work backwards from P/P' difference lines and construct initial conditions of the machine state. Even if that _is_ what they were doing, they only model the salient portions of the binary, not the outside system.

Even so, what they're doing here is fantastic. The things they're not doing (automatically creating files that trigger the exploit) are all possible offshoots from this paper, if one were to have sufficient computing power and time to create models of the salient portions of the system. For each different data flow into the instruction/memory space, the model would need to describe the line of demarcation. In the case of the WMF/PNG vulnerabilities, that line is on the other side of readfile or mmap or whatever. (i.e. the bytes that trigger the exploit come from the disk). Building a file on disk in a certain way to cause a sequence of x86 instructions to produce the desired memory is a hard problem in and of itself, although I perhaps possible with the tools and techniques they've already got.

The same would be true of the ASP.NET vulnerability. I beleive they can work backwards from exploit to the in-memory representation of a URL request. At that point, knowing that URLs come from the outside hostile internet, through IIS, etc etc etc, is vuln-specific domain expertise. However, a library of injection points (file on dist, URL request from network, packet from network, etc) could be built around the analysis model. The analysis engine works backwards until it says "here is the memory precondition that leads to an exploit, now i rely on an injection plugin to acheive that memory state."

In other news...

[timbck2]

Not eating can make you hungry.

fundamental "tenant" of security ?

[petershank]

It should be a fundamental _tenet_ of publishing academic papers that you get them proofread or copyedited by someone not in the Computer Science department.

Re:Stagger patch distribution over long time perio

[Bacon+Bits]

First, KB946723 isn't the time zone patch. It's a Vista patch for hibernation blue screen errors.

Next, your problem is that the Windows Update client is broken on your system. To fix it:
1. Stop the BITS and Automatic Updates services.
2. Delete C:\Windows\SoftwareDistribution\. It will be recreated later.
3. Start BITS and Automatic Updates and go back to Windows Update.

If that doesn't work, then IMX following this KB article will fix it eventually:
http://support.microsoft.com/kb/822798

If you're not sure what Windows Updates is doing, check the log file located at C:\Windows\WindowsUpdate.log (NOT 'Windows Update.log'). You can always search that for the error numbers the updates are throwing.

Just because it's Windows doesn't mean you don't have to know how it works.

Gee everything else works, why is that?

[gelfling]

Avast (AV scanner), Apple software like iTunes, QT and Safari, as well as Acrobat, Sun Java, Real, Winamp, Limewire, my Comodo firewall, Weatherbug, Paint.net and about 20 other packages all seem to have managed to figure out the 'call home' feature so they know whether there's an update or not for me to decide to pull down. And then low and behold I grab one big binary that executes and installs itself.

Funny how MS hasn't figured that out yet. As it is the last 13 patches I installed totalled only 2x the size of the ginormous Adobe updates I get regularly. And those MS patches included some huge chunk of .NET.

So here would be my recommendation for MS. Give me a widget that looks at the current build, constructs a detailed version datefile, compares that to the latest and greatest at Casa De Redmond, then gives me an arbitrary bundle with ALL of the patches even if I already have a few of them. Then when I execute that single binary it tells me the same thing that DLL installers already do which is "The version you are installing is at the same or prior level as the one you have installed" and automatically skips it by default. It performs the same sideways installation for locked files in the process tree at that time, and cues me for a reboot to finish installing the locked objects.

You know, like everyone else does.

Re:Gee everything else works, why is that?

Avast (AV scanner), Apple software like iTunes, QT and Safari, as well as Acrobat, Sun Java, Real, Winamp, Limewire, my Comodo firewall, Weatherbug, Paint.net and about 20 other packages all seem to have managed to figure out the 'call home' feature so they know whether there's an update or not for me to decide to pull down. And then low and behold I grab one big binary that executes and installs itself.

Funny how MS hasn't figured that out yet. They should have something that automatically checks for updates. I propose they call it 'Windows Update'.

Re:Gee everything else works, why is that?

[gelfling]

They do but the problem is it inserts the user into the process and then makes you fiddle with it and use up your time. I have never met a single ordinary user who didn't have that yellow shield in the system tray waiting for you to tell it to 'run' the updates that were downloaded. And then, when or if they ever do, something invariable goes wrong or it takes forever or both. Windows Update is profoundly broken.

Re:Gee everything else works, why is that?

[Allador]

I know its been a few days since this thread went by ... but this is just ridiculous.

Automatic Updates requires no user interaction. Come 3am it will install any downloaded patches. No user interaction required.

On most corporate configurations, end-users wont even see the yellow shield in the system tray.

On several hundred machines that I have responsibility for, we get 3-4 bad patches per year. And by that I mean 3-4 machines have problems with patches. Out of a few hundred x 12 months per year x number of patches per super tuesday.

These are very reasonable failure ratios, and not indicative of 'profoundly broken'.

And what the heck would be the point of your massive super-patch distro you describe a couple levels above? Sounds like a lot of wasted bandwidth and cycles for no purpose whatsoever. MS went to major lengths to do proper binary delta compressed patches years ago because of complaints of the patch size.

Re:Gee everything else works, why is that?

[gelfling]

Actually no. They queue up and rarely install themselves. I have 10 different machines on 3 networks that do this.

Wasted bandwidth? 50MB? Asian font support in Acrobat was 32MB by itself. iTunes is nearly 60. 50MB is nothing. Stop worrying about bandwidth until you get into the 500MB range. A why is it that FIXES to .Net are in the 38-60MB range and they take 20 minutes to install? Does that sound working as designed to you?

Re:Gee everything else works, why is that?

[Allador]

Actually no. They queue up and rarely install themselves. I have 10 different machines on 3 networks that do this. What do the logs say, why are they not installing?

What have you done to troubleshoot this?

No hash can be guaranteed secure forever

[SEMW]

If you find a way to connect to your peers and ask them for some footprint of their patch (MD5, CRC, whatever), you can validate whether the fix you get is good or bad. MD5 has been cracked. That is to say, there are known methods of creating a file with a high probability of having the same MD5 as some original file.
And CRC was never designed to be in the least secure against that sort of thing in the first place. It's a good error checker, but it's not secure.

Yes, there are newer hashes that don't currently have any known vulnerability. But none of which you can be confident that they'll still have no vulnerability in half a decade's time. And if Microsoft were to build what you're suggesting into Windows, a vulnerability beign discovered in whatever hash they used would be a death-knell. How could Microsoft possibly fix it? Distribute a patch to change the hash -- over the compromised patch distribution network?

Re:No hash can be guaranteed secure forever

Ugh what retard modded this troll? There's nothing trollish about it, just argumentative...

Re:No hash can be guaranteed secure forever

[CTachyon]

MD5 has been cracked. That is to say, there are known methods of creating a file with a high probability of having the same MD5 as some original file.

This is not correct. There *is* an attack that permits a person to create two or more new files that share the same MD5 hash. (That the resulting files have the same MD5 hash is a certainty, not a mere "high probability".)

However, there *is not* an attack that permits a person to create one new file that has the same MD5 hash as an existing file. Files with chosen MD5 hashes are still not a reality (for now).

That said, it's time to smile and nod at MD5 while making a slow, non-threatening retreat. Sadly, SHA-1 is having similar problems, SHA-2 is based on many of the same SHA-1 and MD5 principles, and it's not clear that any of the alternative hash algorithms is built on more solid ground.

Such a system would be impossible to secure

[SEMW]

however if you use bittorrent or a similar system everyone downloading at the same moment would work better and faster. And how would you secure such a system? The only way would be to do something like compare the MD5 hash of the patch you've downloaded over the p2p network with an MD5 supplied directly from Microsoft.

Except that MD5 has been cracked. That is to say, there are known methods of creating a file with a high probability of having the same MD5 as some original file.

Yes, there are newer hashes that don't currently have any known vulnerability. But none of which you can be confident that they'll still have no vulnerability in half a decade's time.

And if Microsoft do what you've suggested and build such a system into Windows, what would happen if a vulnerability is discovered in the hash they used? How could Microsoft possibly fix it? Distribute a patch to change the hash used -- over the compromised patch distribution network...?

Re:Such a system would be impossible to secure

Except that MD5 has been cracked. That is to say, there are known methods of creating a file with a high probability of having the same MD5 as some original file.

Go read about the difference between a collision attack and preimage attack.

How about this ?

[artg]

On connecting to the internet, each machine compares its patch level with a master (probably a distributed database). It does this in a state that's analogous to 'windows safe mode' - it isn't running anything non-essential, and has no services available.
If the patch level is such that connection is unsafe, a patch is downloaded and applied before any additional functionality is allowed.
This fails for some organisations where there is considerable local cracking activity and imperfect access to the internet (so a machine might come up and be unable to contact the database, leaving it still vulnerable to local attacks). Any other flaws ?

That's another logic error.

[khasim]

You have to put alot of work into making an exploit, do you choose to put that work into something that gives you 90% or 5% returns.

You're using the wrong terminology. There is no "95%" return.

Rather, it is an issue of putting in effort X and choosing to bypass return Y (millions of machines) in order to fight every other cracker out there for a chance at return 20Y.

Now, you can say that every single cracker in the world does that ... yeah, right.
or
You can say that cracking a Mac is more difficult than cracking a Windows box. In which case Mac security is better than Windows security.

A zombie army of a million Macs is just as efficient (and valuable) as a zombie army of a million Windows boxes.

Browser in a VM

Or you could run a browser in a VM, and as for your computer, seal it off with a firewall, enable PAX, use NX, scan your files, and general good security practices?

Carnegie Mellon Researchers Can Hurt Security

[wirelessbuzzers]

As a security researcher myself, I sometimes wonder when difficult research that leads to exploits is the right thing to do. Of course, I think that most of the time it is, or I wouldn't be in the business, but this sort of story is still troubling sometimes.

There are alternatives ...

[freaker_TuC]

SHA-1, SHA-2, HMAC, ... Technology doesn't stand still, for every problem a solution.

Re:There are alternatives ...

[SEMW]

There are alternatives ... SHA-1, SHA-2, HMAC, ... Technology doesn't stand still You apparently missed the last two paragraphs of my post. If you didn't see them, I'll quote them for you here:

Yes, there are newer hashes that don't currently have any known vulnerability. But none of which you can be confident that they'll still have no vulnerability in half a decade's time.

And if Microsoft do what you've suggested and build such a system into Windows, what would happen if a vulnerability is discovered in the hash they used? How could Microsoft possibly fix it? Distribute a patch to change the hash used -- over the compromised patch distribution network...?

this news is pure FUD 'cause all OS's are affected

[thisispurefud]

this news is pure FUD because all OS's are affected, NOT just only Windows.