MS Confirms Win2K Worm Hole Patch Is Buggy

Although deployment is causing problems for some Microsoft customers, the company continues to stress the importance of its October patch for Windows 2000.

Microsoft Corp.s patch for a worm-vulnerable security flaw in the Windows 2000 operating system is causing problems for some users.

The software giant late Friday confirmed several "isolated deployment issues" with the MS05-051 update, but insisted that the problems should not stop anyone from applying the critical patch.

Word of problems with the patch comes at the worst possible time for officials at the MSRC (Microsoft Security Response Center), the Redmond unit that has preached the "patch-now-or-else" gospel since the update shipped earlier this week.

With proof-of-concept exploits circulating and experts predicting that a network worm attack may be on the cards, enterprise IT administrators testing the patch are now dealing with a new round of headaches that could delay overall deployment efforts.

A Microsoft spokesperson told Ziff Davis Internet News the company is working with a "limited amount of customers" affected by the buggy patch, but stressed that all customers should still treat MS05-051 as a high-priority update.

Late Friday, Microsoft published Knowledge Base article 909444 with workarounds for Windows XP, Windows 2000 Server and Windows Server 2003 customers with the patch deployment problems.

Customers have reported that the Windows Installer service and the Windows Firewall Service did not start after the patch was deployed.

/zimages/4/28571.gifIs Microsoft rushing patches out the door too fast? Click here to read more.

Microsoft also confirmed that the patch could cause the Network Connections folder to be empty or the Windows Update Web site to incorrectly recommend that patched computers change the Userdata persistence setting in Internet Explorer.

Other confirmed problems include:

  • ASP (Active Server Pages) pages that are running on Microsoft ISS (Internet Information Services) return an "HTTP 500 – Internal Server Error" error message.
  • The Microsoft COM+ EventSystem service will not start.
  • COM+ applications will not start.
  • The computers node in the Microsoft Component Services MMC (Microsoft Management Console) tree will not expand.
  • Authenticated users cannot log on, and a blank screen appears after the users apply the October Security Updates.

The MSRC also posted a Weblog entry to acknowledge the problems and noted that these only occurred in cases where the default permissions on the COM+ catalog directory and files had been changed from the default settings.

"This situation is fairly limited in the number of customers who have reported it, but we wanted to make sure people were aware we had guidance on it. Were still keeping an eye out for public exploit code for MS05-051 and have not seen any as yet. Well be watching through the weekend, so if anything changes that you need to know about well update you," MSRC operations manager Mike Reavey said.

/zimages/4/28571.gifClick here to read more about the activities of the Microsoft Security Response Center.

The SANS ISC (Internet Storm Center) reported several other problems, including the inability to access the Windows Update site, a non-working Search tool off the Start Menu, blank screens without icons, anti-virus and anti-spyware applications not working, and trouble using Microsoft Office programs.

In a diary entry, ISC chief technology officer Johannes Ullrich said its only a matter of time before a dangerous exploit lands in the wrong hands. He urged Windows users to secure unpatched networks before leaving for the weekend.

"The obvious thing is to apply patch MS05-051 on at least your [Windows 2000]," Ullrich said. "We do know the port 3372 scanning started in full force, likely in order to acquire target lists. If you cant patch, at least make sure port 3372 is closed."

Dave Aitel, a vulnerability researcher at Immunity Inc., has released a flash movie of an exploit for the unchecked buffer in the MSDTC (Microsoft Distributed Transaction Coordinator). However, despite creating a working proof of concept, Aitel said he does not believe there will be a Zotob-like worm attack anytime soon.

"I know everyone is freaking, but I dont think theres going to be a DTC worm," Aitel wrote on the DailyDave security mailing list. He said there are too many variables in the kinds of machines that are vulnerable, making it difficult to unleash a successful worm. "This bug isnt going to have a worm," Aitel said.

If there is a worm, Aitel predicts it will be the code execution flaw in the Client Service for NetWare that will be targeted. Immunity has also created an exploit for that bug, which is addressed in the MS05-046 bulletin.

"That bug is so easy that you can use it in buffer-overflow 101 classes," Aitel said.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.