14 DAY TRIAL // On March 10, 2009, Microsoft released three security bulletins designed to deal with vulnerabilities in Windows client and server platforms. Security Bulletin MS09-008 rated Important is focused on patching issues in DNS and WINS Server impacting Windows 2000 Server, Windows Server 2003, and Windows Server 2008. The past week, Microsoft dismissed claims that MS09-008 did not actually patch the DNS Server Vulnerability in WPAD Registration Vulnerability- CVE-2009-0093. Robert Hensing, MSRC Engineering, Bruce Dang, MSRC Engineering, Jeff Westhead, Windows Core Networking, and Shyam Seshadri, Windows Core Networking, made available documentation describing in detail the security holes associated with MS09-008 and the updates made available by Microsoft.
“There are claims that this update is ineffective. Let me be clear that this update will protect you and it should be deployed as soon as possible. Below is an overview on how the complete security update helps protect a system,” Hensing stated.
Bill Sisk, Response Communications manager, MSRC, also dismissed the possibility of MS09-008 being ineffective. Sisk indicated that Microsoft managed to review all the feedback it received, and ensured Windows Server customers that deployed the security bulletin that they were indeed protected against attacks targeting the vulnerabilities patched via MS09-008. The software giant informs that it is now aware of any attacks targeting security holes plugged by MS09-008.
“One concern that was raised by a security researcher is that an attacker may have introduced a malicious WPAD entry through a dynamic DNS update. When you install the security update after such an attack has taken place, the WPAD name will not be added to the block list, and the attack will continue to be effective,” Hensing revealed.
Hensing stressed the fact that such a scenario was not addressed in any manner by MS09-008, or by any Microsoft security bulletin for that matter. This because the Redmond company's view of its updates is that the patches are designed to resolve existing security issues and to render useless any exploits targeting the vulnerabilities, but not to undo the results of past attacks.
“The update does not actively change the current configuration. When installing the update, it has no way of knowing whether the WPAD entry was configured by an administrator or an attacker,” Hensing added.