You deployed MS09-008 – are you now protected?

You might have seen several reports that MS09-008 does not protect you from the vulnerabilities. We reviewed these claims and customers who have deployed MS09-008 are protected from the four vulnerabilities.

If you want to have the details, you should consult our Security Research & Defense Blog, where we posted MS09-008: DNS and WINS Server Security Update in More Detail as the problem is somewhat more complex than just “yes/no”


Comments (3)

  1. Anonymous says:

    Hi Shoaib,

    this is the fundamental disconnect in the discussion about whether the update protects you or not: A Security Update is here to protect you from an exploitation of a vulnerability but will never clean your machine if you have already been successfully attacked before you installed the update.


  2. Shoaib Yousuf says:


    This vulnerability could be used to launch "man-in-the-middle" attacks on Windows DNS servers. The web browsers of the PCs in the network are configured through these WPAD entries, so a user that is getting the proxy configuration automatically could be redirected to a malicious proxy and the attacker will have access to all the traffic of the user. To perform this attack, the attacker could insert a WPAD entry in the DNS server when dynamic updates are enabled.

    As a part of the solution to this vulnerability, Microsoft creates two new values in the registry under the key HKLMSYSTEMCurrentControlSetServicesDNSParameters,

    Once created these values in the registry, if anyone tries to launch a “man-in-the-middle” attack it won’t success, as the system will block petitions to the WPAD entry, unless this entry had not been created before applying the patch.

    However, in the case of MS09-008 patch it doesn’t work in the same way; even if we have applied the patch, if we were already attacked through this vulnerability, it doesn’t solve the problem and the “man-in-the-middle” attacks will continue. Why? Because in that case the data in the value GlobalQueryBlockList created when the patch is applied is “isatap” instead of “wpad isatap”, so the queries to WPAD are not being blocked.

    Incase a successful attack has already taken place before applying the patch, your traffic can be being redirected to a malicious proxy. Then, even if you apply the patch, the issue is not completely solved, and the malicious proxy will stay there “sniffing” all your traffic.

    Microsoft guys have blogged about this and how to resolve this, you can find more information here :


  3. Shoaib Yousuf says:

    Hi Roger,

    I agree with your comments. We need to make sure other organizations understand that as well.



Skip to main content