I was actually unavailable Tuesday at 1:30 p.m. Eastern time, when Microsofts October patches began to release. It was a bad day to be out. The company set a new record with 10 advisories listing dozens of vulnerabilities. I looked them over to separate the ho-hum stuff from the real killers.
The first advisory, MS04-029, called “Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service,” is important for NT4 Server users, but hopefully there are very few of these left on the Internet.
Unfortunately, as Netcrafts survey of the Web servers of the FTSE 100 shows, many large corporations are still running it on publicly available servers. One day, well look back at this patch with nostalgia, since all support for NT4, including security patches, will cease at the end of this year.
MS04-030, called “Vulnerability in WebDAV XML Message Handler Could Lead to a Denial of Service,” doesnt strike me as something likely to lead to big problems in the future. How many sites really use WebDAV, anyway? Previous bad experience with WebDAV problems has taught many users to shut it off if theyre not using it. Plus, the worst you can realistically get out of it is a DOS (denial of service).
MS04-031, called “Vulnerability in NetDDE Could Allow Remote Code Execution,” is a horrible vulnerability in the NetDDE service, but this service is not started by default, and nobodys going to start it because almost nobody uses NetDDE.
The problems in MS04-032, “Security Update for Microsoft Windows,” apply to every modern Windows version except SP2 (Service Pack 2). Its a multiple update with four different problems, only one rated critical. That one is critical because it enables remote code execution from a data file, but its not quite in the same class with other such bugs, such as the recent JPEG bug.
Metafiles cant run out of an HTML e-mail or on a Web page. You have to get the user to run them. This isnt hard, though, so its reasonable that it be rated critical. The other bugs are local privilege-elevation bugs, so the program executing them has to be installed and run locally already. This is important, but in the world of Windows, its not top priority.
Flaws in ZIPs, Mail
Servers and More”> MS04-034, “Vulnerability in Compressed (Zipped) Folders Could Allow Remote Code Execution,” relies on either a malicious Web site or a malicious ZIP file. I dont think the Web site issue is a big one, but I can see ZIP-based mail worms such as Bagle incorporating this. Once again, SP2 is exempted.
MS04-035, “Vulnerability in SMTP Could Allow Remote Code Execution,” affects only Windows Server 2003, Windows XP 64-Bit Edition, and Exchange Server 2003 on Windows 2000 Server.
Russ Cooper of TruSecure Corp. thought this would be the most important flaw in the short term, and I can see why. The workarounds listed in the advisory, such as shutting off TCP port 53, dont seem acceptable. If youre running an Exchange Server 2003 system, you need to drop everything and test this patch.
How many sites are running Windows-based NNTP servers, the subject of MS04-036, “Vulnerability in NNTP Could Allow Remote Code Execution”? I really cant believe there are that many, but its actually more complicated than that. Some versions of Exchange require that NNTP be enabled in order to install.
Exchange 2003 then disables it, eliminating this vulnerability, but Exchange 2000 doesnt. So, those admins need to disable NNTP manually or apply the patch. I suspect there arent enough of these servers out there for attackers to spend a lot of research time on this problem.
MS04-037, “Vulnerability in Windows Shell Could Allow Remote Code Execution,” bothers me a lot, but at least its not an issue on SP2. Will someone explain to me why the Program Group converter—a tool for converting Windows 3.x groups to Windows 9x format—is still present in Windows XP? I really dont understand.
The other vulnerability in this advisory, a shell vulnerability, sounds like a “shatter attack” of which I have written in the past. I suspect there are tons of these undetected and well hear them continue to dribble out over time.
Finally, the biggie was MS04-038, “Cumulative Security Update for Internet Explorer,” affecting almost every version of everything and doing it badly. I recognize some of these problems from recent lists of “unpatched” vulnerabilities, so some of those lists have some housekeeping to do.
This was the only version of relevance to SP2 users for Microsofts final acknowledgement of the infamous “drag-and-drop bug,” which allows a malicious Web page to drop a file into the Startup folder to be launched at logon time. You could make a case that this should be critical, but it doesnt have the stuff of a mass attack.
Theres a mix of important and unimportant issues here, but the first impression I get is that its more evidence of how much better off SP2 users are. One patch only, and not a critical one.
No, You Dont Have
to Load SP2″> One of the rumors I heard on Patch Day, in the confusion surrounding Microsofts release of a large number of patches for various versions of Windows and other products, was that there were patches for problems affecting Service Pack 1 that required you to install Service Pack 2.
There are many places I could go with this, such as to the point that almost everyone should be running SP2 anyway, so whats your excuse? But there are some reasons not to install SP2 even today, and even I have one. There is one application I have, and absolutely must use, that is flat-out incompatible with SP2.
The developer has said Microsoft wont be fixing the problems anytime soon. My solution is to keep a separate SP1 computer on my network that I use almost exclusively for this application, and in fact I generally use remote desktop to access the system.
Since Patch Day, I ran Windows Update on that system, and I can see how someone would be confused by the messages it sends. The bottom line is that its possible to apply the SP1 patches and not install SP2, but Microsoft makes it really convenient to apply SP2.
First, forget about automatic updates. I dont think theres a good way to get around SP2 there. I wasnt exhaustive in my studies, but it doesnt matter. Go to the real Windows Update site (Tools-Windows Update in Internet Explorer). Let Automatic Updates take over, and it will try to give you SP2.
Even if you havent installed SP2, it looks like you get the new version 5 Windows Update now, so things may not be as you remember. Theres an Express Install and a Custom Install. Choose Custom. Most of the next screen will be dominated by an effort to get you to install SP2.
At the bottom there is another section that says “If you do not install Windows XP Service Pack 2, other updates might still apply to your computer.” Click the “Review Other Updates” button nearby. The rest of the process is basically like the old Windows Update, and there are no more tricks to get you to install SP2.
I saw five critical updates on this system: MS04-031, MS04-032, MS04-034, MS04-037 and MS04-038. This is exactly what I would expect based on the configuration of the system and the issues in the advisories.
Fellow SP1 hangers-on, well all have an inconvenient time of it until such time as we can apply SP2, and that has to be viewed as a goal in and of itself.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer