Christopher Budd responds to MS08-068 criticism

Microsoft has responded to criticism over delays in addressing the SMBRelay attack.
 

Christopher Budd, security response communications lead for Microsoft, posted in a blog that he had received some questions from customers about the MS08-068 and why it was addressed seven years after the initial detection.

 

Budd said: “At a high level, the behaviour that was discussed in the original SMBRelay attack is related to some of the basic behaviour of the legacy NTLM protocol. When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications.

 

“To be clear, the impact would have been to render many (or nearly all) customers' network-based applications then inoperable. For instance, an Outlook 2000 client wouldn't have been able to communicate with an Exchange 2000 server. We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but, the reality was that there were similar constraints that made it infeasible for customers to implement SMB signing.”

 

Budd then claimed that Microsoft has been looking at the issue, and had not ‘closed' it, to see if there was a way that the issue could be addressed that doesn't impact on applications and also doesn't require application developers to completely rewrite their applications.

 

Budd said: “In general, changes of this magnitude can only be made safely in completely new versions of Windows because of the thorough testing that would receive. And we've made some incremental changes in things like Windows XP SP2 and Windows Vista to help address some of this issue.

 

 

“Over the course of the past year, however, that ongoing work showed us a way to build on those incremental changes that we believed would enable us to make changes that address the issues outlined in the SMBRelay attack and also minimise the impact on network applications. If we were able to do that, we would be able to look at addressing this issue not in a new version of Windows but instead in a security update, provided it met the appropriate quality bar.”

 

He said that the engineering teams spent time testing this approach and found it was feasible, the work was taken and developed it into a security update.

 

Budd concluded: “It addresses the SMBRelay issue but does so in a way that doesn't have the negative impact on applications that we originally believed addressing this issue would have.”

 

He did not discount implementing SMB signing and said that Microsoft would ultimately recommend doing this, although he claimed that the MS08-068 is sufficient protection if it is not possible to implement SMB signing.

 

 

 

 

Sign up to our newsletters