lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <D80092D7523545128576C324C1745C1D@W340>
Date: Sun, 23 Nov 2014 16:22:38 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 20): Microsoft
	Update may fail to offer current security updates

Hi @ll,

after opting in to Microsoft Update additional (optional) software
like Silverlight or Microsoft Security Essentials is offered when
a user performs a "custom search" for updates.

Initially the current versions of this additional software are
offered as "optional updates" for download and installation.
For Silverlight cf. <https://support.microsoft.com/kb/2977218>

If the user but does not want to install this software and checks
the box "[x] Do not show this update´again", the next time he
performs a "custom search" for updates the previous version of this
software is offered until ALL of them are hidden.

In case of Silverlight or Microsoft Security Essentials ALL these
previous versions are but vulnerable, outdated and superseded.

When I reported this behaviour as security bug on July 11, 2012
the MSRC answered:

| The behavior you're seeing is desirable and expected behavior to
| help customers maintain a good level of security even if they
| decline the most recent security update.  When the most recent
| update for a product or component is hidden (which indicates the
| user doesn't want the update to be offered ever again), we'll
| offer the next newest (previously superseded) item to help
| maintain some level of security.  This behavior will continue
| down the entire supersedence 'chain' in order to offer the 'next
| best' update for any user that declines the newest (or the next
| newest) update.
|
| This is one of the ways Microsoft and Windows Update attempt to
| provide the 'next best' update even if the user declines the
| most recent (best) update.

I doubt that this behaviour is REALLY desirable for "optional
updates" like Silverlight: Silverlight is not installed by default
and therefore doesnt need any updates!


If a user (or a 3rd party application) but installs one of these
vulnerable, outdated and superseded versions after hiding them all
Microsoft Update does NOT offer the necessary security updates,
ALTHOUGH these updates have become (critical or important)
"security updates" now and are no "optional updates" any more.

So: user^Wadministrator BEWARE!

regards
Stefan Kanthak


JFTR: unfortunately there dont exist registry entries like those
      for .NET Framework 4 and 4.5.1 or Internet Explorer 7 to 11
      to generally block the offering/installation of Silverlight
      or Microsoft Security Essentials per Windows Update.

      Cf. <https://support.microsoft.com/kb/982320>,
      <https://support.microsoft.com/kb/2721187>,
      <https://support.microsoft.com/kb/928675> and
      <https://technet.microsoft.com/library/dd365124.aspx>,
      <https://support.microsoft.com/kb/2695147> and
      <https://technet.microsoft.com/library/gg615600.aspx>,
      <https://msdn.microsoft.com/library/jj898509.aspx> and
      <https://technet.microsoft.com/library/dn146011.aspx>,
      <https://technet.microsoft.com/library/dn449234.aspx>


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ