Hotfixes arent put up on the Web for any and all takers. Microsoft has testing standards for fixes put up for everyone, and hotfixes dont meet them. They are designed to fix specific problems and are not exhaustively tested to find edge cases where they cause problems, for instance, with other programs. Its not uncommon for such problems to turn up over time.
They recommend—and this is very good advice—that you only install hotfixes on systems that are experiencing the problems they address. Its common for you to have to uninstall hotfixes on systems in order to apply service packs and other official fixes, so use them only when necessary and keep track of where you use them.
It used to be that to get a hotfix you had to contact Microsoft support services and explain why you needed it. Now Microsoft has a system for ordering hotfixes by e-mail. On this Web page you can specify the knowledge base article describing the problem, your processor type and an e-mail address. The submission form replies with "A Microsoft Professional will respond to you via e-mail within 8 business hours." The page and the form it submits are https, and the certificate is signed by GTE Cybertrust, so Im certain enough its for real, although this would be a good place for an EV certificate.
Not that I really had the problem, but I tried it with this bug (KB913384) Within minutes an e-mail arrived from email@example.com that contained an http (not https) link on hotfixv4.microsoft.com to a file (295549_intl_i386_zip.exe). It read back the information I had presented in the Web form, so Im satisfied its genuine. The file is a password-protected self-extracting .zip, and the e-mail also contains the password for opening the file.
Even though I get the sense this is a good system, clearly there are potential problems with it. Lets say Im a busy administrator and I get one of these e-mails, maybe sent to a generic address like firstname.lastname@example.org. Maybe one of the guys asked for it. There are enough clues in the real message that I can protect myself with a healthy skepticism.
Then I download the file and things get a little fishier. The file is a self-extracting .exe and is not digitally signed. It shows "Unknown Publisher." Looking at the file properties in Explorer shows nothing about Microsoft. The company is Xceed Software and the Description is "32-bit Self-extractor module." Incidentally, Kaspersky Anti-Virus generated a warning about it being a password-protected .zip. Fair enough, Ive been warned.
It extracts into two files: hotfix.txt, which has superficial instructions and some other information (mostly the "Disclaimer of Liability"), and NDP20-KB913384-X86.exe, the actual hotfix package, which Kaspersky has no problems with. This file is digitally signed, by Microsoft with a VeriSign-issued certificate.
The hotfix program is also notable for the wealth of file properties on the Version tab. There are properties pointing to the knowledge base article, the processor architecture, the build date, and a detailed description. Excel.exe doesnt have half this stuff. This is unrelated to security, but its interesting.
I was leery of the security of the hotfixes-by-e-mail process until at the end I reviewed it all. They could improve some things, but I think any attacks that would take advantage of it would probably spoof it rather than exploit the actual process.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer