| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 25 Nov 2014 22:13:03 -0800 From: Susan Bradley <sbradcpa@...bell.net> To: Stefan Kanthak <stefan.kanthak@...go.de>, bugtraq@...urityfocus.com Cc: fulldisclosure@...lists.org Subject: Re: [FD] Defense in depth -- the Microsoft way (part 20): Microsoft Update may fail to offer current security updates Be aware that any out of date Silverlight will be blocked as of November's IE release. http://blogs.msdn.com/b/ie/archive/2014/10/14/october-2014-updates-and-a-preview-of-changes-to-out-of-date-activex-control-blocking.aspx http://technet.microsoft.com/en-us/ie/dn818438.aspx "This update notifies you when a Web page tries to load a Silverlight ActiveX control older than (but not including) Silverlight 5.1.30514.0." It's been my experience that once the application has been installed that as long as you are opted into Microsoft update (not Windows update - which only offers up updates for the operating system), you do get security updates for that installation. It's also been my experience that when a new revision of "fill in the blank" is released, I get it offered up again as the metadata of the patch has changed. Ergo why I am CONSTANTLY ignoring that dang Silverlight on the Servers I patch where I don't want it in the first place. [Yes I could do server core where this is a non issue, but I don't] I also did a test where I hid 2977218, installed the prior version and when next I MU'd, I got 2977218. Perhaps they have changed the behavior to where you will get updates offered up even if you previously hid the update in question. Also be aware that in Windows 10 there appears to be a new patching cadence coming (details still to come) as well as defender is now installed - and patched - by default: http://blogs.windows.com/business/2014/09/30/introducing-windows-10-for-business/ "Businesses will be able to opt-in to the fast-moving consumer pace, or lock-down mission critical environments to receive only security and critical updates to their systems. And businesses will have an in-between option for systems that aren’t mission critical, but need to keep pace with the latest innovations without disrupting the flow of business. And the choice isn’t one or the other for businesses; we expect that most will require a mixed approach where a number of scenarios can be accommodated. Consumers, and opt-in businesses, will be able to take advantage of the latest updates as soon as they are available, delivered via Windows Update. Business customers can segment their own user groups, and choose the model and pace that works for them. They will have more choice in how they consume updates, whether through Windows Update or in a managed environment. And for all scenarios, security and critical updates will be delivered on a monthly basis." On 11/23/2014 7:22 AM, Stefan Kanthak wrote: > Hi @ll, > > after opting in to Microsoft Update additional (optional) software > like Silverlight or Microsoft Security Essentials is offered when > a user performs a "custom search" for updates. > > Initially the current versions of this additional software are > offered as "optional updates" for download and installation. > For Silverlight cf. <https://support.microsoft.com/kb/2977218> > > If the user but does not want to install this software and checks > the box "[x] Do not show this update´again", the next time he > performs a "custom search" for updates the previous version of this > software is offered until ALL of them are hidden. > > In case of Silverlight or Microsoft Security Essentials ALL these > previous versions are but vulnerable, outdated and superseded. > > When I reported this behaviour as security bug on July 11, 2012 > the MSRC answered: > > | The behavior you're seeing is desirable and expected behavior to > | help customers maintain a good level of security even if they > | decline the most recent security update. When the most recent > | update for a product or component is hidden (which indicates the > | user doesn't want the update to be offered ever again), we'll > | offer the next newest (previously superseded) item to help > | maintain some level of security. This behavior will continue > | down the entire supersedence 'chain' in order to offer the 'next > | best' update for any user that declines the newest (or the next > | newest) update. > | > | This is one of the ways Microsoft and Windows Update attempt to > | provide the 'next best' update even if the user declines the > | most recent (best) update. > > I doubt that this behaviour is REALLY desirable for "optional > updates" like Silverlight: Silverlight is not installed by default > and therefore doesnt need any updates! > > > If a user (or a 3rd party application) but installs one of these > vulnerable, outdated and superseded versions after hiding them all > Microsoft Update does NOT offer the necessary security updates, > ALTHOUGH these updates have become (critical or important) > "security updates" now and are no "optional updates" any more. > > So: user^Wadministrator BEWARE! > > regards > Stefan Kanthak > > > JFTR: unfortunately there dont exist registry entries like those > for .NET Framework 4 and 4.5.1 or Internet Explorer 7 to 11 > to generally block the offering/installation of Silverlight > or Microsoft Security Essentials per Windows Update. > > Cf. <https://support.microsoft.com/kb/982320>, > <https://support.microsoft.com/kb/2721187>, > <https://support.microsoft.com/kb/928675> and > <https://technet.microsoft.com/library/dd365124.aspx>, > <https://support.microsoft.com/kb/2695147> and > <https://technet.microsoft.com/library/gg615600.aspx>, > <https://msdn.microsoft.com/library/jj898509.aspx> and > <https://technet.microsoft.com/library/dn146011.aspx>, > <https://technet.microsoft.com/library/dn449234.aspx> > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists