Where on earth are these Microsoft patches?

Where on earth are these Microsoft patches?Lost in the shuffle of this month’s Patch Tuesday barrage is the fact that a critical vulnerability in the ever-present Windows Media Player (WMP) was not fixed “because of a last minute quality issue.”

Microsoft originally listed the WMP update in the advance notice for August but, when the patches dropped on Tuesday, it had slipped because of patch-quality concerns.

The explanation from Redmond:

  • Microsoft has heard from customers that the quality of updates is very important and, as part of the process at the Microsoft Security Response Center (MSRC), Microsoft tests these updates continuously until they are ready for distribution to customers through our regularly scheduled security bulletin release.

This effectively means that millions of Windows users — WMP ships with every version of the desktop operating system — are exposed to a critical, code execution vulnerability that will not be fixed for at least another month.

[ SEE: Microsoft issues Safari-to-IE blended threat warning ]

The missing WMP patch is just one of a several known — and very serious — vulnerabilities that have not yet been patched by Microsoft. A few off the top of my head:

  1. Internet Explorer – Remember the Safari-to-IE blended threat from April? This vulnerability was reported to Microsoft since 2006 and, despite issuing an advisory that embarrassed Apple into shipping a Safari fix, Microsoft has still not fixed the underlying code defect. Now, I’m hearing murmurings that this issue probably won’t be fixed until Windows 7. Boo!
  2. Token Kidnapping — Four months after shipping a pre-patch advisory confirming the severity of Cesar Cerrudo’s token kidnapping (.pdf) bug, Microsoft’s fix is still not available. This issue affects Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008.
  3. Ghosts in Browsers — It’s been more than three months since Manuel Cabellero (now a Microsoft employee) went to Blue Hat and gave the scary ghosts-in-the-browser talk. Nate McFeters saw the carnage first hand and confirms that it affects “all browsers.” Since then, Sirdarckcat published details on IE browser flaws that entends to both IE 7 and IE 8 beta. Worse, they’re all still unpatched.
  4. Web Proxy Auto-Discovery — This man-in-the-middle WPAD issue, publicly discussed at Kiwicon last December, is another bug on Microsoft’s late list. An advisory with mitigations (Windows 2000, Windows XP, Windows Server 2003 and Windows Vista) is available but still no patch. This issue also relates to all versions of Internet Explorer, including IE 7 for Windows Vista so it’s not insignificant.
  5. Print Table of Links (IE) - Aviv Raff’s discovery of a cross-zone issue affecting IE 7 and IE 8 beta is publicly known but, despite the availability of proof-of-concept code, there’s no fix yet from Microsoft.

If that list is not scary enough, take a peek at this upcoming advisories page maintained by TippingPoint’s Zero Day Initiative. It lists a whopping 20 unpatched vulnerabilities that have been reported to Microsoft, some more than 200 days ago.

Where on earth are these Microsoft patches?

I asked ZDI’s David Endler about this list and he confirmed they were all “high-risk” issues that were reported to Microsoft on the dates listed but he declined to discuss the status of individual vulnerabilities.

Microsoft has done a great job of improving its security posture and its relationship with hackers/researchers but the inability to issue patches in a timely manner is still a major problem.

The disclosure time-line in this Core Security advisory (scroll to bottom) shows just how frustrating it is to get Microsoft to stick to a patch release schedule. The two sides are discussing an IE vulnerability that was first reported in January 2008 but was delayed numerous times because of all kinds of (sometimes comical) hiccups.

The list above applies only to publicly known issues. Can you imagine what’s out there that’s not yet public?

* Image via Todd Bishop, Seattle PI.

[Source: zdnet]