Bugs on Microsoft patch site left users vulnerable to Blaster worm

Microsoft added to the problems caused by last week's Blaster virus by introducing bugs on the website that supplies patches to...

Microsoft added to the problems caused by last week's Blaster virus by introducing bugs on the website that supplies patches to protect systems.

Russ Cooper, an analyst at security firm TrueSecure, said he had identified a flaw in the way Microsoft's Windows Update technology checks whether users need to apply the patch to prevent infection from Blaster. According to Cooper, on 13 August Microsoft altered the way Windows Update functions in order to fix a problem with how it detected whether users needed to apply the security patch for Blaster.

Cooper said, "Many people thought they had already applied the patch, but they hadn't." He said the error was caused because Windows Update only checked configuration settings stored in the Windows registry database, rather than the presence of the patched files on a PC's hard disc. Microsoft has now fixed this problem.

The news came as Microsoft prepared for Blaster's denial of service attack, which hit its Windows Update site on 16 August.

Microsoft would not be drawn on whether Windows Update checked for physical files or simply relied on the Windows registry. A company spokesman said, "While Microsoft is unable to discuss activity on its corporate network for security reasons, we are working to ensure that the Windows Update remains available to our customers."

According to some reports, the Blaster worm affected more than 1.5 million computers last week. Cooper believes one reason why the worm was able to spread was because IT administrators and home users faced a massive task in patching their Windows PCs.

Given that the size of the patch was 1.8Mbytes, Cooper said, "If you had a 1,000 machines to patch, you would need 2.5Gbytes of network bandwidth - a luxury many corporates cannot afford."

He advised anyone who is concerned about variants of Blaster affecting their systems to disable the Windows DCom component, which contains a flaw that Blaster exploits.

How to guard against Blaster   

  • Disable DCom in Windows 
  • Configure an access control list on your router 
  • Apply the Microsoft patch - but test it first. 

Source: TrueSecure

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.