Microsoft used to be notoriously slow about releasing patches, taking months and in some cases years to produce fixes, much to the dismay of customers and the researchers who reported the vulnerabilities. That’s certainly changed in the last few years with the advent of Patch Tuesday, but this week’s release of the MS08-068 patch was an interesting case study in how circumstances can still prevent vendors from getting fixes out for long-known problems.
Microsoft has known about the vulnerability in the Microsoft Server Message Block Protocol since 2001. (To put that in perspective, there are kids in first grade who have never known a world in which the SMB protocol wasn’t broken.) But after looking at the problem, analysts in the Microsoft Security Response Center decided there was no good way to fix the flaw without breaking a lot of other things.
When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications. And to be clear, the impact would have been to render many (or nearly all) customers’ network-based applications then inoperable. For instance, an Outlook 2000 client wouldn’t have been able to communicate with an Exchange 2000 server. We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but, the reality was that there were similar constraints that made it infeasible for customers to implement SMB signing.
That’s a pretty big obstacle to fixing the problem. So Microsoft decided against the fix, but kept working on the issue over the years, and eventually came up with a way to make it work. I think it’s important to note here that Microsoft could easily have just sort of swept this problem under the rug and said, Everyone will forget about this in a few months and we’ll just keep fixing the ones we’re able to fix and that will get the attention. But to the company’s credit, that’s not what happened. They kept chipping away at it, and eventually figured it out.
Still, as Zero Day‘s Ryan Naraine points out, there are other vulnerabilities in the Microsoft warehouse gathering dust for reasons unknown:
Oh, by the way, there’s another outstanding issue collecting cobweb. This ‘token kidnapping’ issue was first discussed in March 2008 and, after a bit of hemming and hawing, confirmed in this Microsoft security advisory. Exploit code for this privilege escalation vulnerability was publicly released last month.
Microsoft knows all this.
We are still waiting on a patch.
The waiting is the hardest part, as the man once said. Here’s hoping it’s not another seven years for this one.