MS Patch Tuesday and Skype outage – why things didn’t match

In the situation when Skype’s explanation written on 20th Aug, Microsoft’s response written on Monday too and Skype’s clarification written today, 21th Aug exist it’s time to share word with a short summary:

Why the security community reacted like it reacted?

1. Microsoft has released monthly security updates since January 2004
2. There was three critical MS patches in July, and four critical in June
3. Only four August critical patches included a mandatory reboot
4. Critical patch (MS07-044) for code execution issue in Excel needs no reboot
5. Critical patch (MS07-050) for VML needs reboot only if files in use
6. SecurityLab.ru released public Skype Network Remote DoS Exploit on 17th Aug
7. There was new Skype for Windows version 3.5.0.214 out on 17th Aug
8. A lot of home users go to Microsoft Update on Tuesday, not on Thursday…

Do we need more reasons? No. Boys and girls at Skype, please share information that you are aware of public PoC, what the new bugfix release fixes etc.

But the good news: Villu Arak of Skype states that their “bug has been squashed.” And

The parameters of the P2P network have been tuned to be smarter…

Fine, because there are Black Tuesday patches in the future too! ;-)

Share
  • http://www.BeyondSecurity.com Aviram

    They’re just following the old and proven proverb: “when in doubt, blame Microsoft” :-)

  • Skype Official ( :) )

    Trust me, it is Microsoft’s blame that Windows is the 1 operating system, and therefore Skype is most popular there, and as well you must restart computers after installing patches.

    If Linux were the the 1 operating system we wouldn’t have had such issues! :)

  • bugmenot

    And everyone decided to update/patch and reboot at the very same time. Or maybe it’s automatic update, which does automatic reboot without confirmation, and automatic logon with the default user and automatically launches skype and automatically connects…

  • WishUWereMe

    Skype quit trying to point fingers at others. Don’t blame MS for Windows being #1 OS or that the majority of skype users use it.

    This would be similar in blaming the world for driving automobiles instead of other transportation. What you have actually claimed happened is in effect the same thing as blaming auto drivers for turning off the cars and filling up with petro at the same time (say the day before Hurricane Katrina). Did you see the system fail there? Not really, yes there was a supply and demand issue in the gulf region. But the system continued to work elsewhere across the country and the world.

    That is completely bogus to blame the reboots.

    1) Most computers are still using the default settings for autoupdate, thus the reboots are phased in across about 24 hours as 3am approaches the local user. If the number of computers across the globe were evenly distributed across the globe, then at most 1/24 or about 4%. We know that the computers are heavily congregated across about 4 TZs in the US/Canada and about 3 TZs of Europe and 1-3 between Asia and Australia/NZ.. Lets just use 8 TZs as a rough guess then. You are claiming that when 13 % the computers around the world on reboot wednesday, that your system not only failed, but was a catastrophic failure.

    2) It is apparent that you lost enough of the supernodes/relays in the skype network due to the “reboots” that it could not heal itself. Why does your algorithm not weight server based Operating Systems such as Linux or Windows Server 2003 a little heavier for the promotion to super node?

    It is quite obvious that the Skype algorithm works pretty well in the normal situation, but there has not been a significant amount of testing in worst case situations (i.e. large number of supernodes disappear suddenly).

  • http://colsec.blogspot.com colweb

    And of course the whole world is in the same timezone, so the automatic updates all triggered at the same time… riiiight…

  • http://autistici.org/ai/crackdown/ autista

    6. SecurityLab.ru released public Skype Network Remote DoS Exploit on 17th Aug

    I don’t believe that the published PoC is implied in this Skype outage, I have just finished reading http://www.ush.it/2007/08/18/why-the-skype-0day-exploit-is-a-fake/ and it has some good points in it.

    If it was a DoS attack i would expect the exploit code to be more complex and/or better written..

  • http://www.BeyondSecurity.com Aviram

    Autista, the DoS didn’t necessarily have to be done with the exploit code that was released – the exploit shows there’s a problem; someone else can use this to write a better DoS exploit (or perhaps find another DoS variant based on this discovery).

  • Pingback: Segurança na Microsoft : Skype e Windows Update