OctoberPatchFest: The Postmortem

By Larry Seltzer  |  Posted 2004-10-14 Print this article Print

Opinion: The most interesting advisories and patches aren't necessarily the ones getting the most attention.

I was actually unavailable Tuesday at 1:30 p.m. Eastern time, when Microsofts October patches began to release. It was a bad day to be out. The company set a new record with 10 advisories listing dozens of vulnerabilities. I looked them over to separate the ho-hum stuff from the real killers. The first advisory, MS04-029, called "Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service," is important for NT4 Server users, but hopefully there are very few of these left on the Internet. Unfortunately, as Netcrafts survey of the Web servers of the FTSE 100 shows, many large corporations are still running it on publicly available servers. One day, well look back at this patch with nostalgia, since all support for NT4, including security patches, will cease at the end of this year.

MS04-030, called "Vulnerability in WebDAV XML Message Handler Could Lead to a Denial of Service," doesnt strike me as something likely to lead to big problems in the future. How many sites really use WebDAV, anyway? Previous bad experience with WebDAV problems has taught many users to shut it off if theyre not using it. Plus, the worst you can realistically get out of it is a DOS (denial of service).

MS04-031, called "Vulnerability in NetDDE Could Allow Remote Code Execution," is a horrible vulnerability in the NetDDE service, but this service is not started by default, and nobodys going to start it because almost nobody uses NetDDE.

The problems in MS04-032, "Security Update for Microsoft Windows," apply to every modern Windows version except SP2 (Service Pack 2). Its a multiple update with four different problems, only one rated critical. That one is critical because it enables remote code execution from a data file, but its not quite in the same class with other such bugs, such as the recent JPEG bug.

Read more here about the JPEG bug. Metafiles cant run out of an HTML e-mail or on a Web page. You have to get the user to run them. This isnt hard, though, so its reasonable that it be rated critical. The other bugs are local privilege-elevation bugs, so the program executing them has to be installed and run locally already. This is important, but in the world of Windows, its not top priority.

Next page: Flaws in ZIPs, mail servers and more.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel