Microsoft has finally released a patch for a Windows security flaw which Auckland developer Zsolt Pardi says he notified the company of five months ago.
The vulnerability, referred to in security bulletin MS02-024 as “authentication flaw in Windows debugger”, gets Microsoft’s “critical” severity rating as it allows unprivileged users who log on either locally, or through a Terminal Server session, to execute uploaded code with operating system privileges.
In plain English that means that, given the right conditions, anyone can run anything on the server in question. Affected Windows versions are NT 4.0, NT 4.0 Terminal Server Edition, and Windows 2000 (all editions). Windows XP isn’t affected.
The unusual thing about the exploit is the time frame: Pardi told Computerworld he reported the issue to Microsoft New Zealand in January (see Legacy of neglect), but that his concerns were “basically rejected by Microsoft”. He also provided details of the vulnerability to Microsoft's Redmond-based security team, and gave an undertaking not to publicise the flaw.
In March details of the exploit, dubbed Debploit, were published on the internet by “EliCZ”, a group of security researchers, who included source code plus a ready-compiled binary to demonstrate the exploit.
Pardi says he remains disappointed at Microsoft's failure to acknowledge that what he notified them of was a serious vulnerability. In a statement released last week, Microsoft New Zealand enterprise sales manager Terry Allen says Pardi's "alleged vulnerability" and Debploit are separate issues.
"Debploit is considered a vulnerability because an unprivileged user (with local access to the system) can run a program and get SYSTEM privileges," says Allen's statement. "It was reported to the public mailing lists NTBUGTRAQ and BUGTRAQ on or around March 14."
Allen says the Redmond security team dismissed Pardi's warning because the way it was described, it relied on an internet hosting service allowing uploading of unknown code, in the form of a ISAPI.DLL, which breaks basic system security rules.
Pardi says Microsoft's fixation with that fact caused it to ignore the real issue, which was the Windows vulnerability.
"I'm certain that within a month or two similar flaws will be exposed that call undocumented Windows kernel functions," Pardi says.
Christchurch antivirus and security consultant Nick FitzGerald says Microsoft has been getting tardy over critical security updates. The problem has been compounded by Microsoft actively staging the release of security patches so they are relatively few and far between, FitzGerald says.
The argument is that it allows Microsoft to do better testing and cross-checking as several fixes can be worked on by one team and co-tested for interactions, rather than having several teams working more or less at the same time, but separately on one patch each. The flipside of the coin, however, is that security updates take much longer to reach customers, says FitzGerald.