Microsoft added to the problems caused by last week's
Blaster virus by introducing bugs on the website that supplies
patches to protect systems.
Russ Cooper, an analyst at security firm TrueSecure, said he had
identified a flaw in the way Microsoft's Windows Update technology
checks whether users need to apply the patch to prevent infection
from Blaster. According to Cooper, on 13 August Microsoft altered
the way Windows Update functions in order to fix a problem with how
it detected whether users needed to apply the security patch for
Blaster.
Cooper said, "Many people thought they had already applied the
patch, but they hadn't." He said the error was caused because
Windows Update only checked configuration settings stored in the
Windows registry database, rather than the presence of the patched
files on a PC's hard disc. Microsoft has now fixed this
problem.
The news came as Microsoft prepared for Blaster's denial of service
attack, which hit its Windows Update site on 16 August.
Microsoft would not be drawn on whether Windows Update checked for
physical files or simply relied on the Windows registry. A company
spokesman said, "While Microsoft is unable to discuss activity on
its corporate network for security reasons, we are working to
ensure that the Windows Update remains available to our
customers."
According to some reports, the Blaster worm affected more than 1.5
million computers last week. Cooper believes one reason why the
worm was able to spread was because IT administrators and home
users faced a massive task in patching their Windows PCs.
Given that the size of the patch was 1.8Mbytes, Cooper said, "If
you had a 1,000 machines to patch, you would need 2.5Gbytes of
network bandwidth - a luxury many corporates cannot afford."
He advised anyone who is concerned about variants of Blaster
affecting their systems to disable the Windows DCom component,
which contains a flaw that Blaster exploits.
How to guard against Blaster
- Disable DCom in Windows
- Configure an access control list on your router
- Apply the Microsoft patch - but test it first.
Source: TrueSecure