Tuesday 27 January 2009

MS05-022: Nothing a new version won't fix

I received an automated Microsoft Security Bulletin email over the weekend and was a little surprised about the nature of the change.


The update was an update to a Microsoft Update MS05-022- interestingly an update that was released over 3 years ago. And, yes, it was an update to an update. And the offending bit of code is Messenger. The original bulletin referred to Messenger 6.2 (quite a few versions back now).


The security bulletin can be found here: http://www.microsoft.com/technet/security/bulletin/ms05-022.mspx


This is quite a serious issue as, "An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."


Here is the revision history of this update;


  • V1.0 (April 12, 2005): Bulletin published        
  • V1.1 (May 11, 2005): Bulletin updated with correct file version information for MSN Messenger 6.2        
  • V2.0 (January 21, 2009): Bulletin updated. Replaced the download link for MSN Messenger 6.2 with the bulletin link to MS07-054. Users may either use the specific download link in MS07-054 to upgrade, or log on to MSN Messenger service to accept the required upgrade.


It looks like there was full version increment to this bulletin as in 2007, this update was released as MS07-054.


Why is this important? And, why am I writing about this?


Well, our normal pattern/approach  for analysing patches is to determine the updated files or registry settings and determine what configuration settings and dependencies may affect your application portfolio. For example,  the first (and only) update for this year MS09-001 updated a single file SRV.SYS


Well, the payload or the files for this update is actually a link to a completely new version of the application.  This security update does not point to a WSU file or Microsoft Hotfix style executable (EXE) but a completely new version of the application. Basically, Microsoft is saying,


"There is a security issue here. And, you need to download the latest version"


This in itself is not a problem. Vendors do this all of the time. We do it (yes, we do). I guess the challenge here is that you may be using version 6.2 of Messenger and the security update is.... Upgrade to version 8!


Well, as my friendly mechanic says, "There is no problem that a new car won't fix." And in this case, the update is a upgrade.



No comments: