UPDATED: Misleading and Incomplete Information in MS06-015
UPDATE APRIL 21: In response to reports of compatibility problems with the new extension verification component (verclsid.exe) of the MS06-015 update, Microsoft plans to issue a revised version of MS06-015 on Tuesday, April 25th. The updated update will effectively whitelist four extension class IDs. These are associated with HP Share-to-Web and some NVIDIA software.
Microsoft’s original workaround, as provided by Mike Reavey and documented in the KB article, only addresses one of the two compatibility problems. If you have the problems described in Microsoft Knowledge Base Article 918165 after applying the update and the previous registry fix did not work for you, I’ve provided two registry scripts that may help alleviate these issues.
The registry scripts are based on information from the newly-revised MS06-015 as well as the aforementioned article. It is worth mentioning that these registry files have only been tested for correctness, as the population base affected seems to be fairly low. If you can, wait for Microsoft’s re-release of the MS06-015 patch on April 25th. If you have issues with the application or compatibility of either of these, let me know, but by using them, you do so at your own risk.
The download locations are:
My PGP key is available from the MIT key server (pgp.mit.edu). You may retrieve it via the web.
You are encouraged to back up the relevant hive of the registry (or the entire registry, if possible) before making these changes. This will minimize downtime in the event of an unforeseen compatibility problem. You may find more information on how to backup the registry in Microsoft Knowledge Base articles 322756 (Windows XP and Windows Server 2003) and 322755 (Windows 2000).
Microsoft’s Patch Tuesday has struck again. It seems, that in order to enjoy Microsoft’s recent patch days, one must really appreciate the oh-so-sweet smell of downplay.
Today was no exception. Today’s downplay of the month goes to MS06-015. That bulletin announced a patch which supposedly plugged a single “Windows Shell Vulnerability” involving the shell’s handling of COM objects. It states, rather paradoxically:
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.
Note The update for this vulnerability also addresses a publicly disclosed variation that has been assigned Common Vulnerability and Exposure number CVE-2004-2289.
According to a VIM post by Steve Christey, this vulnerability has been known since May 2004. So, let me get this straight. The vulnerability that is documented was privately-reported, but the “variation” that was also patched has been publicly known for 700+ days. In that case, the issue that is truly the “variation” is the issue that was discovered and reported privately after the public disclosure. At least, that’s how I hope it went down. Regardless, the information as published is extremely misleading and Microsoft’s choice not to document a publicly-reported vulnerability is not one that will be for the benefit of its customers’ security.
More interesting, is this convenient phraseology in MS06-015. The update includes two “changes to functionality”, one of which is below:
This security update includes a Defense in Depth change which ensures that prompting occurs consistently in Internet zone drag and drop scenarios.
Oh, and do tell us, Microsoft, what threat is this meant to address, exactly? The implicit statement the bulletin makes is rather clear: prompting in internet zone drag and drop scenarios was previously inconsistent. That’s not exactly rocket-science to anybody, and in fact, it sounds suspiciously like an attempt to plug the vulnerability I reported publicly in February, which is CVE-2005-3240. Now, without testing that hypothesis, I will refrain from passing immediate judgment or speculating on the likelihood of that possibility. The bottom line is this: we just don’t know.
Microsoft needs to be much more transparent about the real nature of the threats customers are facing. Microsoft doesn’t patch phantom vulnerabilities that don’t exist or unrealistic science-fiction attack scenarios. Microsoft’s under-documentation of these vulnerabilities leaves those charged with deploying patches in a tough spot. You simply don’t know what the patches are for. It’s virtually impossible to make a determination about a deployment timeframe if not deploying a patch has the potential to place you at an additional, unknown risk. As a result, administrators may deploy patches unnecessarily, erring on the side of caution (and risking compatibility problems in the process), or they may choose not to deploy based on incomplete information. Individuals making these kinds of decisions deserve better information.
Everytime Microsoft seems to be getting the security pitch right, one gets thrown in the dirt. Microsoft needs a new ball. MS06-015 should be revised or completely rewritten, with the objective of providing sensible, coherent and complete information to customers.