14 DAY TRIAL // On November 11, 2008, Microsoft issued a patch for a security vulnerability, which could easily rival Windows operating systems in terms of life time. Microsoft Security Bulletin MS08-068 was designed to resolve a security vulnerability in Microsoft Server Message Block (SMB) Protocol, which was initially reported to the Redmond company in 2001.
The vulnerability is currently affecting all supported Windows client and server platforms, including Windows XP Service Pack 3 (rated Important) and Windows Vista Service Pack 1 (rated Moderate). Christopher Budd, a security program manager in the Microsoft Security Response Center, explained the company's reasons in letting the security flaw go unpatched for seven years.
“When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications,” he stated. “And to be clear, the impact would have been to render many (or nearly all) customers’ network-based applications then inoperable. For instance, an Outlook 2000 client wouldn’t have been able to communicate with an Exchange 2000 server. We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but the reality was that there were similar constraints that made it infeasible for customers to implement SMB signing.”
Budd added that although Microsoft did nothing, in fact, to patch the SMBRelay attack, XP Service Pack 2 and Windows Vista did contain incremental changes designed to increase the protection offered to users. Microsoft found the key to putting together the security patch in the incremental work done for Windows. In this context, as soon as the patch rose to the quality bar required for release, Microsoft made it available.
“Our engineering teams spent a great deal of time testing this approach and found it was feasible. We then took that work and developed it into a security update, putting it through our standard testing to ensure it met an appropriate level of quality for broad release. What we released today with MS08-068 is that security update. It addresses the SMBRelay issue but does so in a way that doesn’t have the negative impact on applications that we originally believed addressing this issue would have,” Budd said.
November 11 marks the release of only two security vulnerabilities: MS08-068 and MS08-069. While the former is considered to be just Important, the latter has been labeled with a maximum severity rating of Critical.