Here I am again writing on MS BlueHat blog, this time about Token Kidnapping.
The first time I talked about Token kidnapping was a long time ago and now after a year the issues detailed in the presentation are finally fixed.
Let's see what happened.
Before the first public Token Kidnapping presentation I talked to MS about the topics it included, I mentioned that there were design issues and that some issues were already known. I gave details to them about the Windows XP and 2003 issues (the ones that were already known, at least for some people and for MS too I guess) but I didn't give to them details about the Windows Vista and 2008 issues because I didn't want to give expensive research for free to MS. They would get the research together with general public.
It's very important to have in mind that these are not critical issues; these are elevation of privileges issues that can only be exploited in certain scenarios. These issues need some level of privilege to be exploited, so it's highly unlikely that they will be exploited to mass compromise servers and home computers. It's also important to note that in the scenarios that the issues can be exploited if these issues wouldn't exist then it could be also possible to elevate privileges in a different way. Because of all of this I decided to publish the Token Kidnapping details without any patch available since for me there was no real threat. These are security issues but the impact is very low.
It was only after the presentation and the press attention that MS fully understood the issues and realized that they needed to patch them but as most of them were design issues it would take a lot of work to get a patch ready.
Token Kidnapping had (and still has) a great media coverage this is something that doesn't make MS to look good and it also scares MS customers, MS knew it so they worked hard to fix these issues in a patch instead of a service pack were it would have been more appropriate to fix most of the issues. It took them a year but hey, given the complexity of the fix I think it's not that bad.
Microsoft had a hard time and instead of giving excuses they produced a fix, a bit slowly, but hey nobody is perfect.
The moral of the story? MS put a lot of effort to get things fixed as soon as possible. MS really cares about their customers and of course about PR too. But the PR didn’t really make the fix come faster.
The Token Kidnapping attack was fixed as part of MS09-012, which was released today along with several other very important patches.
MS09-013 - Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution
MS09-014 - Cumulative Security Update for Internet Explorer
MS09-015 - Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege
MS09-016 - Vulnerabilities in Microsoft ISA Server and Forefront Threat Management Gateway (Medium Business Edition) Could Cause Denial of Service