[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <D80092D7523545128576C324C1745C1D@W340>
Date: Sun, 23 Nov 2014 16:22:38 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 20): Microsoft
Update may fail to offer current security updates
Hi @ll,
after opting in to Microsoft Update additional (optional) software
like Silverlight or Microsoft Security Essentials is offered when
a user performs a "custom search" for updates.
Initially the current versions of this additional software are
offered as "optional updates" for download and installation.
For Silverlight cf. <https://support.microsoft.com/kb/2977218>
If the user but does not want to install this software and checks
the box "[x] Do not show this update´again", the next time he
performs a "custom search" for updates the previous version of this
software is offered until ALL of them are hidden.
In case of Silverlight or Microsoft Security Essentials ALL these
previous versions are but vulnerable, outdated and superseded.
When I reported this behaviour as security bug on July 11, 2012
the MSRC answered:
| The behavior you're seeing is desirable and expected behavior to
| help customers maintain a good level of security even if they
| decline the most recent security update. When the most recent
| update for a product or component is hidden (which indicates the
| user doesn't want the update to be offered ever again), we'll
| offer the next newest (previously superseded) item to help
| maintain some level of security. This behavior will continue
| down the entire supersedence 'chain' in order to offer the 'next
| best' update for any user that declines the newest (or the next
| newest) update.
|
| This is one of the ways Microsoft and Windows Update attempt to
| provide the 'next best' update even if the user declines the
| most recent (best) update.
I doubt that this behaviour is REALLY desirable for "optional
updates" like Silverlight: Silverlight is not installed by default
and therefore doesnt need any updates!
If a user (or a 3rd party application) but installs one of these
vulnerable, outdated and superseded versions after hiding them all
Microsoft Update does NOT offer the necessary security updates,
ALTHOUGH these updates have become (critical or important)
"security updates" now and are no "optional updates" any more.
So: user^Wadministrator BEWARE!
regards
Stefan Kanthak
JFTR: unfortunately there dont exist registry entries like those
for .NET Framework 4 and 4.5.1 or Internet Explorer 7 to 11
to generally block the offering/installation of Silverlight
or Microsoft Security Essentials per Windows Update.
Cf. <https://support.microsoft.com/kb/982320>,
<https://support.microsoft.com/kb/2721187>,
<https://support.microsoft.com/kb/928675> and
<https://technet.microsoft.com/library/dd365124.aspx>,
<https://support.microsoft.com/kb/2695147> and
<https://technet.microsoft.com/library/gg615600.aspx>,
<https://msdn.microsoft.com/library/jj898509.aspx> and
<https://technet.microsoft.com/library/dn146011.aspx>,
<https://technet.microsoft.com/library/dn449234.aspx>
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists