Microsoft's Windows Update patch management program has a critical shortcoming which, in some cases, could fool users into thinking their systems are properly patched against some vulnerabilities when in fact they are not.
That warning comes from Russ Cooper, moderator of the NTBugtraq mailing list and an analyst at TruSecure.
Cooper said the problem lies in the manner in which the Windows Update program verifies whether a system has a particular patch. Until last night at least, Windows Update relied only on the "registry key" information associated with each patch to determine whether a system had a specific patch.
When a user goes to the Windows Update site, it first scans the user's system for such registry keys to determine which patches are installed on the system.
The problem is that a system may have the registry keys associated with a particular patch even though the patch itself has not been installed on the system. This can happen if a machine crashes or is turned off during the patch installation process or because there are insufficient system resources to install it.
In that case, Windows Update is fooled into thinking the system is patched because it sees the associated registry key information. Other patch management products look for patch-specific file information in addition to the registry key information, Cooper said.
However, Microsoft program security manager Stephen Toulouse said Cooper's claim about Windows Update was unfounded, insisting that Windows Update has been checking for file versions in addition to registry keys when scanning for patches "for several months".
Citing the patch for the latest Windows Remote Procedure Call vulnerability (MS03-026), which is used to fight the Blaster or Lovsan worm, Toulouse said, "There's been tens of millions of successful implementations of this patch, and we haven't heard of a situation where customers think they have installed the patch and then find out they haven't."
Toulouse also questioned the method Cooper used to demonstrate the problem, calling it a highly unlikely and "artificial scenario".
By late Wednesday, Microsoft did, in fact, appear to be checking file information in addition to registry key information - at least as far as the latest patch is concerned, Cooper said, but added that same is not true for all patches. While it is possible that Windows Update is looking for patch-related file information, it does not appear to use this information to verify the patch.
Cooper is not alone in his concerns.
"I'm glad to see that Microsoft has added file version detection to MS03-026. However, there are many other serious security vulnerabilities that are addressed by other Microsoft patches that can be spoofed by simply writing a registry value," said a former member of the Microsoft security response team who is now working at a software patch management supplier.
The source added that, as of yesterday, the patches that could be spoofed by using registry keys included the following: MS03-030, for a critical vulnerability related to a buffer overflow in DirectX; MS03-023, a patch for a critical buffer overflow HTML vulnerability; and MS03-001, another critical vulnerability related to a Microsoft Locator service.
"The only way to properly check for the status of security hot fixes is to scan for each file that ships in each hot fix and verify that these files are still present on the system. Registry keys cannot be relied upon as an indicator of patch status, as these keys may not accurately represent the present state of the machine," the source said.
Apart from lulling users into a false sense of security, there is a bigger problem, the source said.
"If Windows Update is relying solely on the presence of registry keys to determine if a patch has been installed, this process may be subject to exploitation from the next Internet worm. Imagine a Blaster- or Nimda-style worm that writes specific registry keys to each infected machine."
By spoofing registry keys, such worms could fool Windows Update into thinking that a user's system has been properly patched, he said.
Vivek Kundra, director of infrastructure technologies for Arlington County in the US, said his group had problems using the Windows Update server technology to deploy the patches to fight the Blaster worm. The county began working to install recommended patches for the Windows RPC vulnerability last Thursday, before the recent outbreak began to spread.
Although the county began the process using Microsoft's Windows Update process, it had to abandon the approach because the patches did not always deploy properly. It is now using a Novell resource management tool called ZENworks to distribute the patches. The county is now considering the possibility of outsourcing its patch management process to a third party.
Jaikumar Vijayan writes for Computerworld