UPDATED: Misleading and Incomplete Information in MS06-015

UPDATE APRIL 21: In response to reports of compatibility problems with the new extension verification component (verclsid.exe) of the MS06-015 update, Microsoft plans to issue a revised version of MS06-015 on Tuesday, April 25th. The updated update will effectively whitelist four extension class IDs. These are associated with HP Share-to-Web and some NVIDIA software.

Microsoft’s original workaround, as provided by Mike Reavey and documented in the KB article, only addresses one of the two compatibility problems. If you have the problems described in Microsoft Knowledge Base Article 918165 after applying the update and the previous registry fix did not work for you, I’ve provided two registry scripts that may help alleviate these issues.

The registry scripts are based on information from the newly-revised MS06-015 as well as the aforementioned article. It is worth mentioning that these registry files have only been tested for correctness, as the population base affected seems to be fairly low. If you can, wait for Microsoft’s re-release of the MS06-015 patch on April 25th. If you have issues with the application or compatibility of either of these, let me know, but by using them, you do so at your own risk.

The download locations are:

My PGP key is available from the MIT key server (pgp.mit.edu). You may retrieve it via the web.

You are encouraged to back up the relevant hive of the registry (or the entire registry, if possible) before making these changes. This will minimize downtime in the event of an unforeseen compatibility problem. You may find more information on how to backup the registry in Microsoft Knowledge Base articles 322756 (Windows XP and Windows Server 2003) and 322755 (Windows 2000).

Microsoft’s Patch Tuesday has struck again. It seems, that in order to enjoy Microsoft’s recent patch days, one must really appreciate the oh-so-sweet smell of downplay.

Today was no exception. Today’s downplay of the month goes to MS06-015. That bulletin announced a patch which supposedly plugged a single “Windows Shell Vulnerability” involving the shell’s handling of COM objects. It states, rather paradoxically:

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.

[...]

Note The update for this vulnerability also addresses a publicly disclosed variation that has been assigned Common Vulnerability and Exposure number CVE-2004-2289.

According to a VIM post by Steve Christey, this vulnerability has been known since May 2004. So, let me get this straight. The vulnerability that is documented was privately-reported, but the “variation” that was also patched has been publicly known for 700+ days. In that case, the issue that is truly the “variation” is the issue that was discovered and reported privately after the public disclosure. At least, that’s how I hope it went down. Regardless, the information as published is extremely misleading and Microsoft’s choice not to document a publicly-reported vulnerability is not one that will be for the benefit of its customers’ security.

More interesting, is this convenient phraseology in MS06-015. The update includes two “changes to functionality”, one of which is below:

This security update includes a Defense in Depth change which ensures that prompting occurs consistently in Internet zone drag and drop scenarios.

Oh, and do tell us, Microsoft, what threat is this meant to address, exactly? The implicit statement the bulletin makes is rather clear: prompting in internet zone drag and drop scenarios was previously inconsistent. That’s not exactly rocket-science to anybody, and in fact, it sounds suspiciously like an attempt to plug the vulnerability I reported publicly in February, which is CVE-2005-3240. Now, without testing that hypothesis, I will refrain from passing immediate judgment or speculating on the likelihood of that possibility. The bottom line is this: we just don’t know.

Microsoft needs to be much more transparent about the real nature of the threats customers are facing. Microsoft doesn’t patch phantom vulnerabilities that don’t exist or unrealistic science-fiction attack scenarios. Microsoft’s under-documentation of these vulnerabilities leaves those charged with deploying patches in a tough spot. You simply don’t know what the patches are for. It’s virtually impossible to make a determination about a deployment timeframe if not deploying a patch has the potential to place you at an additional, unknown risk. As a result, administrators may deploy patches unnecessarily, erring on the side of caution (and risking compatibility problems in the process), or they may choose not to deploy based on incomplete information. Individuals making these kinds of decisions deserve better information.

Everytime Microsoft seems to be getting the security pitch right, one gets thrown in the dirt. Microsoft needs a new ball. MS06-015 should be revised or completely rewritten, with the objective of providing sensible, coherent and complete information to customers.

Share
  • Pingback: Emergent Chaos

  • http://blog.freyguy.com KevFrey

    I really couldn’t agree more. I have been consistently frustrated by MSFT’s bland, corporate-speak when deploying new patches. As a security manager I find it difficult to properly test the patches as they are deployed in my sandbox group since I’m not exactly sure what I’m testing (I don’t have a ‘red phone’ back to Redmond that allows me inside information about the patches.

    Thank you for writing the comment, and thanks for your ongoing research.

    KevFrey
    . . . . . .. . . . . .

  • Al Newsom

    application of this patch MS06-015 will break norton ghost 9.0 and your Wireless network connections. Removal of KB908531 restored functionality.

  • ROUX

    Application of this patch MS06-015 (KB 908531)will break access to “register under…” for excel 2003 and word 2003… applications.
    Removal of KB908531 restored functionality.

    FR

  • T Saunders

    Application of this patch appears to have broken Word. I have a (very unhappy) customer whose Word app hangs whilst trying to open any docs from his My Docs folder over a VPN to his office.

    I’ve removed the patch from the server, but am loath to remote re-boot, as I had several servers not shutdown properly on Thurs 13/04 due to the release that morning of a handful of updates.

    I agree with Kev Frey. As admin of several SBS2003 servers running WSUS, to actually know what these updates fix, and more importantly, break, would be a Godsend.

  • http://N/A Steve Long

    The latest security blivet hosed my Word’s (and Outlook’s as well) ability to conventionally save to My Documents. I was able to dance around it, but am frosted that I nearly lost an entire soccer article just as I completed it. This retired MCSE 4.0 is not pleased. I tried MIke Reavey’s regsitry hack without success.

  • A.Hitchman

    I used to be able to import .fil & .fis xls files into my Proworks PLC software, now it all just hangs up, tried Mike Reavey’s regedit modification, doesn’t seem to make any difference. can i take out MS06-015 (KB908531) ?

  • http://www.halpinlaw.com Matthew Halpin, Esq.

    MS06-015 must Not be intalled! If you have any – I mean ANY – HP software of hardware on you system – your MS Office products will shut down. Microsoft has finally acknowleged this on their own web page. The “resolution” is some silly programing method – I am no programmer – I buy the software so I do not need to program – MS better get a fix and quick – I have turned off my automatic updates option – mostly to protect myself from microsoft themselves

  • C T MCP

    Agree with Matthew Halpin. A bit of research elsewhere and it seems if you have any HP software, the MS06-015 patch causes a lot of problems with Word, Excel & Outlook – how ironic that MS products are affected! After deploying the patch through WSUS to our network, I’ve now had to script a rename of the offending new binary – ‘verclsid.exe’, found in system32 – so that it doesn’t run & unapprove installation of the update.
    Come on MS – get it sorted!

  • Mary McMullen

    I am a victim of the MS06-15 update also. I tried the fix for the Registry that was given but it did not fix the problem. Can anyone here tell me what to do so that I can go back to using my computer in a normal way! I would appreciate your help.

  • Stuart Farnell

    Also been caught out by this update(MS06-015) .I understand from reading numerous newspaper articles(fox news )and newsgroup forums that this also conflicts with nvdia cards and drivers. I can no longer right click on my desktop!

    I dont reckon MS know the extent of the problems with the Patch. I am also running HP photosmart and note on the HP website that their is a critical update patch that affects Itunes, but im loathed to download it in case it causes more problems.

    MS also reckon updating driver for nvdia and HP resolve the problem but the Hp exe file they say causes the problem is not even on my pc!

    I have also tried the registry update and it doesnt work.

    They need to sort a patch and soon!

  • Jill Engledow

    I can only add my voice of frustration and anger to those above–this stupid “fix” is messing with the program I use daily to make my living, and I expect Microsoft to come up with a solution pronto!

  • stuart farnell

    at last the patch is ready and it works a treat… so far!!!!
    http://www.microsoft.com/technet/security/bulletin/ms06-015.mspx

  • Pingback: Donna's SecurityFlash