Archive for May, 2008

Microsoft Update – Not Up To The Job

This month’s release of Microsoft security updates underscores the risk in relying on Microsoft’s patch management tools. Specifically, the Microsoft update mechanism found in Windows Update, Microsoft Update, SMS, and SCCM only scans for 75% of the security bulletins released this month. (And within that 75%, these tools don’t scan for certain older versions of products, like those running Office 2000 applications.)

MS08-029 addresses a vulnerability in the Microsoft security suite of tools that include the Microsoft malware engine, including Windows Live OneCare, Antigen for Exchange, Windows Defender, and Forefront Client Security, among others. Unfortunately, Windows update technologies won’t tell you which of your systems are vulnerable – much less which systems you have that even run these applications. Users are left on their own to launch these applications and update them.

Although these applications “provide built-in mechanisms for automatic detection and deployment of updates” they leave enterprises without the ability to centrally identify their risk, report on their security posture, or have any knowledge about their level of vulnerability to this issue. Microsoft Update and the WSUS engine was supposed to be the one-stop shop to understand Microsoft patch status across the enterprise. Of course, this assumes that all Microsoft products work with the Microsoft Update engine. With the advent of the Live product line and the Microsoft security suite, they seem to believe that these products are ‘above’ the need to provide central update management capabilities with their peer software applications.

Security Bulletin MS08-029 discusses a security vulnerability that, while it cannot remotely take over your system, can be used to cause widespread denial of service, or when combined with other exploits, can be used to enable an attacker to gain additional access to a system (by forcing a reboot which may in turn aid other exploits in need of a system restart). In either event, I don’t want this on my network, and I’d like to know how prevalent these applications are. Until Microsoft can report centrally on the patch management status for all of its applications, I’ll stick with my thesis – Microsoft Update is not up to date.

Advertisements

Leave a comment »