OctoberPatchFest: The Postmortem

Opinion: The most interesting advisories and patches aren't necessarily the ones getting the most attention.

I was actually unavailable Tuesday at 1:30 p.m. Eastern time, when Microsofts October patches began to release. It was a bad day to be out. The company set a new record with 10 advisories listing dozens of vulnerabilities. I looked them over to separate the ho-hum stuff from the real killers.

The first advisory, MS04-029, called "Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service," is important for NT4 Server users, but hopefully there are very few of these left on the Internet.

Unfortunately, as Netcrafts survey of the Web servers of the FTSE 100 shows, many large corporations are still running it on publicly available servers. One day, well look back at this patch with nostalgia, since all support for NT4, including security patches, will cease at the end of this year.

MS04-030, called "Vulnerability in WebDAV XML Message Handler Could Lead to a Denial of Service," doesnt strike me as something likely to lead to big problems in the future. How many sites really use WebDAV, anyway? Previous bad experience with WebDAV problems has taught many users to shut it off if theyre not using it. Plus, the worst you can realistically get out of it is a DOS (denial of service).

MS04-031, called "Vulnerability in NetDDE Could Allow Remote Code Execution," is a horrible vulnerability in the NetDDE service, but this service is not started by default, and nobodys going to start it because almost nobody uses NetDDE.

The problems in MS04-032, "Security Update for Microsoft Windows," apply to every modern Windows version except SP2 (Service Pack 2). Its a multiple update with four different problems, only one rated critical. That one is critical because it enables remote code execution from a data file, but its not quite in the same class with other such bugs, such as the recent JPEG bug.


Read more here about the JPEG bug.

Metafiles cant run out of an HTML e-mail or on a Web page. You have to get the user to run them. This isnt hard, though, so its reasonable that it be rated critical. The other bugs are local privilege-elevation bugs, so the program executing them has to be installed and run locally already. This is important, but in the world of Windows, its not top priority.

Next page: Flaws in ZIPs, mail servers and more.