Wednesday, November 12, 2008

Microsoft patches security hole after 7 years

Microsoft acknowledges that tools such as Metasploit have been able to carry out an attack based on the SMB vulnerability without saying how long the flaw has been around.
As El Reg dryly puts it, "better late than never".

But not so fast. The Metasploit blog has some interesting nuggests, including the fact that the patch doesn't address all the ways to exploit the bug:
The patch does NOT address the case where the attacker relays the connection to a third-party host that the victim has access to. This can be accomplished by setting the SMBHOST parameter in the Metasploit smb_relay module to a third-party server. There are many cases where this is useful, especially in LAN environments where various tools authenticate to all local hosts with a domain administrator account (vulnerability scanners, inventory management, network monitor software, etc).
Look, fixing security problems is a hard and thankless task. But I'd hope that whoever is doing it exercises their Google-fu. Here's a 5 year old security advisory that describes the part that Microsoft didn't fix.

Epic fail of the Microsoft patch process.

No comments: