Hotfixes By E-Mail
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Hotfixes By E-Mail

Written By
Larry Seltzer
Larry Seltzer
Aug 13, 2007
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Microsoft has a bad reputation for issuing fixes for software problems, but they do fix lots of them, all the time. Its inevitable for a company with so many products used by so many people. Usually, before bug fixes are rolled into a general-distribution patches, service packs or new version, they are issued piecemeal as “hotfixes.”

Hotfixes arent put up on the Web for any and all takers. Microsoft has testing standards for fixes put up for everyone, and hotfixes dont meet them. They are designed to fix specific problems and are not exhaustively tested to find edge cases where they cause problems, for instance, with other programs. Its not uncommon for such problems to turn up over time.

They recommend—and this is very good advice—that you only install hotfixes on systems that are experiencing the problems they address. Its common for you to have to uninstall hotfixes on systems in order to apply service packs and other official fixes, so use them only when necessary and keep track of where you use them.

/zimages/2/28571.gifA good example of when hotfixes are issued is when 3rd-party applications suffered at the release of an emergency security update earlier this year.Click hereto read more.

It used to be that to get a hotfix you had to contact Microsoft support services and explain why you needed it. Now Microsoft has a system for ordering hotfixes by e-mail. On this Web page you can specify the knowledge base article describing the problem, your processor type and an e-mail address. The submission form replies with “A Microsoft Professional will respond to you via e-mail within 8 business hours.” The page and the form it submits are https, and the certificate is signed by GTE Cybertrust, so Im certain enough its for real, although this would be a good place for an EV certificate.

Not that I really had the problem, but I tried it with this bug (KB913384) Within minutes an e-mail arrived from nahotfx@microsoft.com that contained an http (not https) link on hotfixv4.microsoft.com to a file (295549_intl_i386_zip.exe). It read back the information I had presented in the Web form, so Im satisfied its genuine. The file is a password-protected self-extracting .zip, and the e-mail also contains the password for opening the file.

Even though I get the sense this is a good system, clearly there are potential problems with it. Lets say Im a busy administrator and I get one of these e-mails, maybe sent to a generic address like support@mycompany.com. Maybe one of the guys asked for it. There are enough clues in the real message that I can protect myself with a healthy skepticism.

Then I download the file and things get a little fishier. The file is a self-extracting .exe and is not digitally signed. It shows “Unknown Publisher.” Looking at the file properties in Explorer shows nothing about Microsoft. The company is Xceed Software and the Description is “32-bit Self-extractor module.” Incidentally, Kaspersky Anti-Virus generated a warning about it being a password-protected .zip. Fair enough, Ive been warned.

It extracts into two files: hotfix.txt, which has superficial instructions and some other information (mostly the “Disclaimer of Liability”), and NDP20-KB913384-X86.exe, the actual hotfix package, which Kaspersky has no problems with. This file is digitally signed, by Microsoft with a VeriSign-issued certificate.

The hotfix program is also notable for the wealth of file properties on the Version tab. There are properties pointing to the knowledge base article, the processor architecture, the build date, and a detailed description. Excel.exe doesnt have half this stuff. This is unrelated to security, but its interesting.

I was leery of the security of the hotfixes-by-e-mail process until at the end I reviewed it all. They could improve some things, but I think any attacks that would take advantage of it would probably spoof it rather than exploit the actual process.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers blog Cheap Hack

More from Larry Seltzer
Larry Seltzer
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information