Microsoft Stands By Its Latest Patch

The company is defending against claims that its MS09-008 security fix doesn't work and that the vulnerabilities could be used to hijack network traffic.

Thomas Claburn, Editor at Large, Enterprise Mobility

March 16, 2009

2 Min Read
Dark Reading logo in a gray background | Dark Reading

To counter claims that its MS09-008 patch doesn't work, Microsoft on Friday explained the proper way to fix the vulnerabilities identified in its Windows DNS server and Windows WINS server software.

"There are claims that this update is ineffective," Maarten Van Horenbeeck, Microsoft's Security Research and Defense Center program manager, said in a blog post on Friday. "Let me be clear that this update will protect you and it should be deployed as soon as possible."

The vulnerabilities have to do with DNS spoofing vulnerabilities, with the Web Proxy Auto-Discovery, or WPAD, and with the Intra-Site Automatic Tunnel Addressing Protocol, or ISATAP. If exploited, these flaws could be used to hijack network traffic.

WPAD provides a way to automatically configure the proxy settings of computers on a network.

"This vulnerability could be used to launch 'man-in-the-middle' attacks on Windows DNS servers," explained Luis Corrons, director of PandaLabs, in a blog post. "The Web browsers of the PCs in the network are configured through these WPAD entries, so a user that is getting the proxy configuration automatically could be redirected to a malicious proxy and the attacker will have access to all the traffic of the user. To perform this attack, the attacker could insert a WPAD entry in the DNS server when dynamic updates are enabled."

To fix this problem, Microsoft's patch adds a block list to its DNS server. The names on the list no longer resolve as domain names. This prevents an attack from registering a WPAD or ISATAP entry going forward.

But the patch does nothing to fix an entry registered before the patch was applied, a feature that Microsoft says is necessary to avoid negatively impacting legitimate users of these services. As a consequence, systems on which the MS09-008 vulnerability has already been exploited will remain infected after the patch.

"This is indeed not a scenario the security update, or any security update released by Microsoft, aims to address," explained Van Horenbeeck. "Security updates are intended to help protect the system against future exploitation, and don't aim to undo any attack that has taken place in the past. The update does not actively change the current configuration. When installing the update, it has no way of knowing whether the WPAD entry was configured by an administrator or an attacker."

To fix this, add "wpad" as one of the values in the GlobalQueryBlockList registry key and restart the DNS service, explained Corrons. This may not be the end of it, however, as compromised systems may have acquired additional malware.

Further details about MS09-008 can be found at the Microsoft Security Response Center blog.


InformationWeek has published an in-depth report on Windows 7. Download the report here (registration required).

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights