Latest Windows patch seven years in the making
Security experts say one of the vulnerabilities fixed by this week’s Windows Update has been a known problem since at least 2001. The Server Message Block issue has even been used in security training events.
The problem affects the software used to run Windows’ filesharing and network printing features. It’s not a major problem for home users with an effective firewall, but large corporations are at particular risk if somebody with evil intentions can access a machine on their network.
Eric Schultze, the same man who questioned Microsoft for only ranking the issue as ‘important’ rather than ‘critical’ this week, says he has been demonstrating the issue for years to show how important network security is. He argues it’s a particularly serious issue because there is no way to tell that somebody has exploited it until you feel the effects of hacking or data loss.
Schultze says he’s tested the new patch and found it addresses a particular style of attack which was first publicized in March 2001. The general issue was actually first raised at a security conference the previous summer.
The vulnerability gained more attention last July when a system for exploiting it was included in Metasploit, an online resource designed to assist security researchers (though no doubt also of interest to hackers). Indeed, in a blog posting this week, Microsoft even acknowledges the attack technique is publicly available through Metasploit.
There doesn’t seem any clear reason why Microsoft took so long to fix the issue. In some senses it’s turned out to benefit the firm by allowing it to point out that the vulnerability is a lot less serious on Vista than previous incarnations of Windows. However, even the most hardened cynic would have to acknowledge Microsoft probably didn’t foresee that opportunity seven years ago.
Related Posts:
November 14th, 2008
If you’re a corporation and can’t mantain physical and access control of the machines on your network, you DESERVE to be hacked by this. Seriously, those things should be basic tenets of security that make such vulnerabilities as this far less than ‘critical’.