Wednesday, March 18, 2009

MS09-008. Does the patch work?

If successful attack has already taken place before applying the patch, applying the patch will not fix the issue...

This vulnerability could be used to launch "man-in-the-middle" attacks on Windows DNS servers. The web browsers of the PCs in the network are configured through these WPAD entries, so a user that is getting the proxy configuration automatically could be redirected to a malicious proxy and the attacker will have access to all the traffic of the user. To perform this attack, the attacker could insert a WPAD entry in the DNS server when dynamic updates are enabled.

As a part of the solution to this vulnerability, Microsoft creates two new values in the registry under the key HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Once created these values in the registry, if anyone tries to launch a “man-in-the-middle” attack it won’t success, as the system will block petitions to the WPAD entry, unless this entry had not been created before applying the patch.

However, in the case of MS09-008 patch it doesn’t work in the same way; even if we have applied the patch, if we were already attacked through this vulnerability, it doesn’t solve the problem and the “man-in-the-middle” attacks will continue. Why? Because in that case the data in the value GlobalQueryBlockList created when the patch is applied is “isatap” instead of “wpad isatap”, so the queries to WPAD are not being blocked.

In case a successful attack has already taken place before applying the patch, your traffic can be being redirected to a malicious proxy. Then, even if you apply the patch, the issue is not completely solved, and the malicious proxy will stay there “sniffing” all your traffic.

To solve this, it is only needed to add in the registry to the value GlobalQueryBlockList the data wpad and restart the DNS service. Microsoft guys have blogged about this and how to resolve this, you can find more information here.

No comments: