[ISN] Patch Deployment Problems Haunt Microsoft Again
InfoSec News
isn at c4i.org
Fri Oct 21 16:09:44 EDT 2005
http://www.eweek.com/article2/0,1895,1874284,00.asp
By Ryan Naraine
October 20, 2005
For the second time in as many weeks, the MSRC has revised one of its
"critical" security bulletins after some users complained of problems
figuring out which patch to apply.
It appears that Windows 2000 users running Microsoft DirectX 8.0 or
DirectX 9.0 had problems sorting through the bulletin to find the
appropriate patches.
In the ensuing confusion, the incorrect patch was applied, leaving the
PC vulnerable to code execution attacks.
A spokesperson for the Microsoft Security Response Center acknowledged
the information mix-up but stressed that only a small subset of
Windows 2000 users were affected.
"Microsoft is aware that a limited amount of customers, who may have
obtained the wrong security update for their version of DirectX, may
think they are protected, when in fact, they are not," the
spokesperson said in a statement released to Ziff Davis Internet News.
"This only affects users who have selected the wrong package
manually," she added.
The spokesperson said that PC users who obtained the security update
automatically through all Microsoft distribution tools, or have
followed the steps in the bulletin to obtain the update for their
systems, "are protected from the associated vulnerability."
The revised MS05-050 bulletin now contains a Knowledge Base article
with new information clarifying the issue.
In the article, Microsoft explained that if the individual update
package for DirectX 7.0 was installed on a Windows 2000 computer that
is running DirectX 8 or DirectX 9, the patch did not fix the
underlying vulnerability.
Additionally, in those scenarios, the user did not receive
notification that the patch was not applied.
The company also published additional information to help users verify
the version of Quartz.dll associated with the DirectX version to
determine whether a computer was correctly updated.
The MS05-050 bulletin was one of three "critical" security updates
shipped this month to cover Windows code execution holes.
The bulletin contained patches for an unchecked buffer in Microsoft
DirectShow, the default Windows component used for high-quality
capture and playback of multimedia streams. DirectShow is integrated
with other DirectX technologies.
Malicious hackers could exploit the DirectShow bug to take complete
control of an affected system, but the threat is mitigated because
some user interaction is required.
For example, the victim must be tricked into launching a specially
crafted .avi multimedia file for an attack to be successful.
Immediately after this month's Patch Tuesday, Microsoft acknowledged
that one of the patches to cover a critical Windows 2000 worm hole was
causing problems for some customers.
The problems with that patch ranged from empty Network Connections
folders to incorrect recommendations from the Windows Update Web site.
A separate Knowledge Base article was published with workarounds for
Windows XP, Windows 2000 Server and Windows Server 2003 customers with
the patch deployment problems.
More information about the ISN
mailing list