Log in

View Full Version : Public Service Announcement: Patch Your NT4/2000/XP/2003 Systems!


Ed Hansberry
02-11-2004, 03:00 PM
<a href="http://www.microsoft.com/technet/security/bulletin/winfeb04.asp">http://www.microsoft.com/technet/security/bulletin/winfeb04.asp</a><br /><br />Microsoft has released several patches in the past 24 hours, but the most critical is "MS04-007 - ASN .1 Vulnerability Could Allow Code Execution." You can apply this patch by visiting Microsoft's <a href="http://www.microsoft.com/windowsupdate">Windows Update</a> site.<br /><br /><img src="http://www.pocketpcthoughts.com/images/hansberry/redalert.gif" /><br /><br />For more information on the issue, you can visit the following links:<br />• <a href="http://www.kb.cert.org/vuls/id/216324">Vulnerability Note VU#216324</a> -<br />• <a href="http://www.kb.cert.org/vuls/id/583108">Vulnerability Note VU#583108</a> -<br />• <a href="http://www.eeye.com/html/Research/Advisories/AD20040210.html">eEye Digital Security Advisory AD20040210</a> -<br />• <a href="http://www.eeye.com/html/Research/Advisories/AD20040210-2.html">eEye Digital Security Advisory AD20040210-2</a><br />• <a href="http://microsoft.com/technet/security/bulletin/MS04-007.asp">Microsoft Security Bulletin MS04-007</a><br />• <a href="http://support.microsoft.com/default.aspx?scid=252648">Microsoft Knowledge Base Article 252648</a><br /><br />Basically, patch your box or unplug it. There is no exploit as I type this, but the day is young. Most alarming is there are really no mitigating factors. A firewall may not be the protection you think it is for this issue. This <a href="http://news.zdnet.co.uk/software/applications/0,39020384,39146097,00.htm">quote puts it in perspective</a>. "The widespread use of ASN.1 has led many security researchers to label it a possible "monoculture" -- a population so homogeneous that a single threat could destroy it." :shocked!: <br /><br />Why are you still reading this? You should be patching!

dMores
02-11-2004, 03:05 PM
*sigh*

the joys of using a mac

:lol:

Jon Westfall
02-11-2004, 03:15 PM
Thanks for complicating my morning Ed ;) Logging into 5 2000 boxes over Terminal Services to run windows update is just the thing to wake me up.

Jon.

that_kid
02-11-2004, 03:17 PM
Only 5, I had to tS into 12 2000 boxes and 6 XP boxes to do this update. Hmm... maybe it's time to invest in an SMS server.

twntaipan
02-11-2004, 03:23 PM
Is Windows Update running unusually slow???

PR.
02-11-2004, 03:25 PM
I know I will probably be flamed for this and I hasten to add that I will patch myself and the Office PC's

But why would anyone go to the effort of exploiting this when you can send an email to a user with a attachment labelled Virus.pif and spread it to millions of users.

Its not the holes in Windows that we should fear its the hole between the users ears that I fear

EricMCarson
02-11-2004, 03:26 PM
I've been getting the "500" error that last three times I've been trying to access windows update. Luckily, we've got the auto update on one machine, so we've got a copy to install locally.

gorkon280
02-11-2004, 03:27 PM
Windows Update is slow because all of ppc thoughts is hitting it at the same time(my theory). Let me calm everyone down a bit....the world is not falling. You will be OK! :D Now, make sure you visit Windows Update at least once a week or once a day if your paranoid. There that feels better doesn't it? :roll:

acronym
02-11-2004, 03:30 PM
RED ALERT !! RED ALERT !!
we found a bug 6 months ago that makes your entire system vulnerable, but just got around to releasing a patch...

micro$oft - "we care"

Kevin Remhof
02-11-2004, 03:36 PM
Ah, the joys of being on a corporate PC. We can't run Microsoft Update from our desktop PCs. Our servers, yes. But, not our desktops. Blech.

markcrump
02-11-2004, 03:37 PM
We use SUS on the desktops, and Patchlink on the servers. All in all a fairly painless procedure.

Bill Gunn
02-11-2004, 03:41 PM
Thanks for complicating my morning Ed ;) Logging into 5 2000 boxes over Terminal Services to run windows update is just the thing to wake me up.

Jon.

My Computer>Properties>Automatic Updates

that_kid
02-11-2004, 03:44 PM
Thanks for complicating my morning Ed ;) Logging into 5 2000 boxes over Terminal Services to run windows update is just the thing to wake me up.

Jon.

My Computer>Properties>Automatic Updates

Yes it's tru that you can do auto updates but many people(myself included) don't want to have things auto installed. I can see it now, I'm working on a video project and next thing I know the computer has rebooted cause it just installed an update. Yes I know you can set it to also just download but not update.

dmacburry2003
02-11-2004, 04:28 PM
At first glance, it looked like you were trying to sell some type of addy shmaddy shpyware :lol:

foldedspace
02-11-2004, 04:37 PM
I have my computers setup for auto updates. Let's face it, people don't bother trying to exploit vulnerabilities in other operating systems because MS is more prevalent. Ditto for viruses...

miterb
02-11-2004, 04:47 PM
[/quote]

Yes it's tru that you can do auto updates but many people(myself included) don't want to have things auto installed. I can see it now, I'm working on a video project and next thing I know the computer has rebooted cause it just installed an update. Yes I know you can set it to also just download but not update.[/quote]

There is an option to the auto update in Win XP to "notify" you when there are upgrades available. I find it works great for me. Windows checks when after I boot up and I can wait for a quiet time to download the patches.

Bill Gunn
02-11-2004, 04:51 PM
Yes it's tru that you can do auto updates but many people(myself included) don't want to have things auto installed. I can see it now, I'm working on a video project and next thing I know the computer has rebooted cause it just installed an update. Yes I know you can set it to also just download but not update.

That's not how it works. Besides, you blindly installed the updates this morning because you really don't have a choice to not install them unless you want to leave your systems vulnerable. So why not just let them auto-install overnight and save yourself the trouble? Also, without at least auto-downloading you might miss a fix and be open to an exploit.

that_kid
02-11-2004, 05:32 PM
Not true, I have a time and day set aside to do all my network maint. I never miss a thing cause i have the updates sent to me via e-mail. I don't like auto update and I'd rather not have the system download them for me and then notify me. I tried this befoe and many times I have appied the update before the system even notifies me so what use is auto update when I don't get the notifications in a timely fashion. Plus I have many computers on my network and I'd hate to have all my domain controllers shut down at the same time. I'm looking at having my own windows update server setup at both ends of my network where i can controll the udate schedule. I'm even looking into sms sever as I'd have to ts into many of my headless servers anyway just to accept the update.

notesguy88
02-11-2004, 05:37 PM
Heck at my company we just completed the updates that takes care of the "welchia" virus on the PCs. Servers were done earlier. The reason why this takes so long at my company is our management wants us in IT to test every software and applications (both commercial and in-house) would not have any problems when the Service Packs and/or patches are installed.

We've had to build a test enviroment that runs all of our applications and test whether or not problems arise when the patches are installed. You'd think that this was silly and dangerous by not plugging those holes and that was what I thought. I gues that's why I'm not in management! hahaha... As it turned out several critical applications had severe problems after the patches were installed. We had to contact vendors to provide fixes and our development team had to fix some code for the in-house apps.

David Prahl
02-11-2004, 06:07 PM
Just patched my box, and now Skype won't run! :evil:

Soon we can expect
"MS04-008 - Vulnerability Could Allow User to Install Third-Party Sofware." :lol:

element
02-11-2004, 06:19 PM
Anyone that subscribes to Security Focus' newsletter knows that both *NIX and M$ have their issues. I eventually took myself off their mailing list due to the number of patches/security update I was getting for UNIX and LINUX. The issue is not the fact that there is a bug, the issue is the way that M$ tends to make it a Marketing issue rather than a Technical Services issue.

*stepping down from the my soapbox*
&lt;&lt; Runs Windows 2k* Servers
&lt;&lt; Runs Redhat Linux Servers
&lt;&lt; Runs Fedora Stations
&lt;&lt; Runs Windows XP Stations

OH and of course
&lt;&lt; Runs Windows PPC 2003

All have their place in my life.

Jon Westfall
02-11-2004, 06:24 PM
Windows Update is swamped, try www.microsoft.com/security for a few links that will take you to the locally-downloadable patch.

brianchris
02-11-2004, 07:51 PM
A couple (perhaps naive) questions:

1) Is it O.K. to install patches remotely via Terminal Services / Remote desktop?
2) I just hit Windows Update from an XP Pro box right before I wrote this (2/11/04 @ 10:45am PST), and although Windows Update itself was working, there were no critical updates availible, even though I have not updated this same box for at least a couple weeks, AND I do *not* have auto update configured. Why is Windows Update not offering me the (extremely) recent critical patchs?

-Brian

element
02-11-2004, 08:46 PM
A couple (perhaps naive) questions:

1) Is it O.K. to install patches remotely via Terminal Services / Remote desktop?
2) I just hit Windows Update from an XP Pro box right before I wrote this (2/11/04 @ 10:45am PST), and although Windows Update itself was working, there were no critical updates availible, even though I have not updated this same box for at least a couple weeks, AND I do *not* have auto update configured. Why is Windows Update not offering me the (extremely) recent critical patchs?

-Brian

Yes is is okay. Teminal Services is just a window manager...passing screens across the wire.

Ed Hansberry
02-11-2004, 09:05 PM
A couple (perhaps naive) questions:

1) Is it O.K. to install patches remotely via Terminal Services / Remote desktop?
Yes is is okay. Teminal Services is just a window manager...passing screens across the wire.
That is actually not true. Yes, you can normally apply hotfixes via TS, but TS is much more than a "window manager." VNC might be described as that but TS is much more. We have some apps that run fine at a PC's console (XP Pro) but don't via Remote Desktop, which is just TS on XP. You should almost NEVER install apps via RD/TS as registry shadowing can be a problem for apps that are not TS aware, and most aren't. I don't even apply Office hotfixes via TS. I do it at the console.

Also, if your TS is an application server, you should put it in "install" mode before applying a patch, whether you are at the console or remote. Furthermore, you should never install anything including hotfixes on a TS that has multiple sessions open regardless of what mode it is in (user or install) or how it is configured (application server or administrative session).

Janak Parekh
02-11-2004, 09:08 PM
2) I just hit Windows Update from an XP Pro box right before I wrote this (2/11/04 @ 10:45am PST), and although Windows Update itself was working, there were no critical updates availible, even though I have not updated this same box for at least a couple weeks, AND I do *not* have auto update configured. Why is Windows Update not offering me the (extremely) recent critical patchs?
My guess is that it's because the site is swamped. Try again later.

You should almost NEVER install apps via RD/TS as registry shadowing can be a problem for apps that are not TS aware, and most aren't.
That's not true for administrative TS/remote desktop, though, is it? I thought registry shadowing only occurred for application servers.

--janak

Ed Hansberry
02-11-2004, 09:53 PM
You should almost NEVER install apps via RD/TS as registry shadowing can be a problem for apps that are not TS aware, and most aren't.
That's not true for administrative TS/remote desktop, though, is it? I thought registry shadowing only occurred for application servers.
I am not 100% sure on the specifics but I know you can have 1 person at the console and two concurrent sessions. Not sure if 2 means two TS connections + console or 1 TS + console/2TS +0 console.

Given that it is an adminitrative account and not the administrative account means it could be 2 different users with admin rights, so 2 different accounts. If they are on at the same time, that is two profiles loaded. Since Registry Shadowing does't occur (Terminal Services application compatibility settings are completely disabled (http://www.microsoft.com/windows2000/techinfo/administration/terminal/tsremote.asp)) installing an app when two users are logged in, unless you are 100% sure that registry shadowing isn't necessary because the installer/app is TS aware, you shouldn't do it. One Admin should log out, and preferably it be the one using TS. I don't even install small things like WinZip unless I am at the console and the only one logged in.

I don't even make the assumption that OS hotfixes are TS aware. I definitely don't assume Office is. As late as Office 2000 you had to have special install scripts to install them to a TS in application mode. I've not kept up with XP and 2003 on the TS side.

So, to your question: I thought registry shadowing only occurred for application servers.
Right. It doesn't occur on TS admin mode servers. That makes it imperitive that the installer is TS aware or only one user is logged in. Otherwise, profiles may not be updated properly since the TS will make no effort to compensate as a TS in application mode will.

Janak Parekh
02-11-2004, 10:28 PM
I am not 100% sure on the specifics but I know you can have 1 person at the console and two concurrent sessions. Not sure if 2 means two TS connections + console or 1 TS + console/2TS +0 console.
Of course, this differs between W2kServer, XP Pro and Server 2003. W2kServer has the console + 2 sessions, XP has "only" the console and will migrate it between the console and a remote connection, and Server 2003 has both functionalities combined.

One Admin should log out, and preferably it be the one using TS. I don't even install small things like WinZip unless I am at the console and the only one logged in.
Interesting. I took it to mean that since registry shadowing isn't occurring, the admin TS login is almost equivalent to a console login -- any changes happen in the HKCU part of the registry directly, and reflect the Administrator's profile.

For what it's worth, I have installed a ton of apps and done patches over administration mode, and I've even done a few of both in installation mode on an application server. I know back in the old days of Office 97 and earlier there were special issues, as you mention, but I haven't had problems as of late.

I don't even make the assumption that OS hotfixes are TS aware.
Actually, I believe they are. I have a recollection that Windows Update will actually refuse to run if you don't run CHANGE USER first on an app server. I have a lot of machines that can't be console administered all the time, and so far no problems. &lt;knock wood> I hope I haven't been doing it wrong all this time... :oops:

--janak

Ed Hansberry
02-11-2004, 11:12 PM
One Admin should log out, and preferably it be the one using TS. I don't even install small things like WinZip unless I am at the console and the only one logged in.
Interesting. I took it to mean that since registry shadowing isn't occurring, the admin TS login is almost equivalent to a console login -- any changes happen in the HKCU part of the registry directly, and reflect the Administrator's profile. I know for a fact that it isn't the same. We have two apps that you can't effectively use in TS Admin mode.
For what it's worth, I have installed a ton of apps and done patches over administration mode, and I've even done a few of both in installation mode on an application server. I know back in the old days of Office 97 and earlier there were special issues, as you mention, but I haven't had problems as of late.
Installing in TS application servers in install mode should be fine since it is optimizing the install, but since the server is right here, I prefer to do it at the console, just in case.

I don't even make the assumption that OS hotfixes are TS aware.
Actually, I believe they are. I have a recollection that Windows Update will actually refuse to run if you don't run CHANGE USER first on an app server. I have a lot of machines that can't be console administered all the time, and so far no problems. &lt;knock wood> I hope I haven't been doing it wrong all this time... :oops:
FWIW, that is WU saying that, which is a good thing. The hotfix itself though has to understand how to work with a TS registry for anything outside of the LOCALMACHINE and ROOT key. WHile I am pretty confident the hotfixes are TS aware, I don't make that assumption and try to install at the console. When I can't, I make sure I am the only one logged in and doing so as an admin.

Janak Parekh
02-11-2004, 11:43 PM
When I can't, I make sure I am the only one logged in and doing so as an admin.
Absolutely. Actually, I don't generally give others access to TS servers in admin mode.

--janak

Ed Hansberry
02-12-2004, 12:40 AM
Well, now 100% patched here. :mrgreen: So far, so good.

brianchris
02-12-2004, 01:04 AM
Well, now 100% patched here. :mrgreen: So far, so good.

Although I am patched too, now we can't celebrate too long. Seems like we admins have a choice: don't patch and wait for the vulnerabilities to be exploited (*not* recomended), OR patch and wait for the patch(es) to cause havoc. Case in point for yesterday's patches? Read this one (of many) example from the Small Business Server 2003 Newsgroup: http://communities.microsoft.com/NewsGroups/previewFrame.asp?ICP=GSS3&sLCID=US&sgroupURL=microsoft.public.windows.server.sbs&sMessageID=%253C%[email protected]%253E

Certainly, once Stephen Hawking discovers the one equation that explains everyhting in the universe, we'll be able to derive secure and stable software from that, right? :roll:

-Brian

Ed Hansberry
02-12-2004, 01:14 AM
Case in point for yesterday's patches? Read this one (of many) example from the Small Business Server 2003 Newsgroup: http://communities.microsoft.com/NewsGroups/previewFrame.asp?ICP=GSS3&sLCID=US&sgroupURL=microsoft.public.windows.server.sbs&sMessageID=%253C%[email protected]%253E
SBS is always the red-headed step child. It has problems that Win2000/2003 "fix" by recommending certain things be on different servers - something you can't do on SBS. SBS is a great idea, but I'll stick with multiple servers. More people have that and these patches get more extensive testing on those scenarios.

Jonathan1
02-12-2004, 01:23 AM
Ya know its a sad day the day Microsoft advocate sites have to turn into Patch advisory sites. :?

When is this crap going to end? Its one thing to patch an exploit that requires someone to execute something on their local computer or launch something on a web site that takes advantage of a sec flaw but this kinda of crap that can allow a virus/worm to remotely enter and infect your system has to STOP! :evil: TCO and trustworthy computing my ***!!!!!!! :?

I got to pull an all nighter and patch 154 systems in the office last, corp informed me I could not wait to automate it when the users come in the next morning, night because of this. And I'm still playing cleanup with home users today. If it looks like I have a grudge against MS, **** right! My job description didn't include running around scared pissless a virus will hit our network any minute and begin the apocalypse. Someone needs to sue Microsoft. Period. I want to see what happens when a real claim is slapped against MS. I want to see if the EULE would really hold up in court. I'm sorry but there is such thing as due diligence in any industry. I'm of the option that until now with Longhorn Microsoft did not take security into consideration at all. How the heck else could all these security flaws last through 4 OS's (NT, 2K, XP, and 2003.) and 8, count them, 8 freaking years!! Sorry folks but this burns my biscuits. This is a prime example of features first and security second. It's like insurance. Everyone groans at spending money on it but when you have it you love it. Security in an OS in a nontangible thing. It doesn't sell an OS nearly as well X, Y, or X feature. I expect patches. Sure. But not at the level these things have been flung out of MS arse. Now you will excuse me. I've been working off of 2 hours of sleep in the last 36 hours. I'm going to go home and pass out.

brianchris
02-12-2004, 01:23 AM
Case in point for yesterday's patches? Read this one (of many) example from the Small Business Server 2003 Newsgroup: http://communities.microsoft.com/NewsGroups/previewFrame.asp?ICP=GSS3&sLCID=US&sgroupURL=microsoft.public.windows.server.sbs&sMessageID=%253C%[email protected]%253E
SBS is always the red-headed step child. It has problems that Win2000/2003 "fix" by recommending certain things be on different servers - something you can't do on SBS. SBS is a great idea, but I'll stick with multiple servers. More people have that and these patches get more extensive testing on those scenarios.

I admit you are correct in that SBS may encounter more patch problems than standalone server products, but less so with every version of SBS released. Indeed, with SBS 4.0, you were not able to apply WinNT, Exchange, etc. server patches, only special SBS patches. These days, SBS is mainly the independent server products (Windows Server, Exchange Server, SQL server) with some nifty wizzards and custom MMC's thrown is for ease of use and integration. Indeed, if one was to ask "what was SBS?" one potential answer is primarily those wizzards and MMC's, along with the server products at exremely attractive pricing.

Perhaps I shouldn't of used an example out of the SBS newsgroup. But at the same time, one would be naive to assume no risk at installing these patches, even on standalone server products. The point is, there's less risk in patching (compared to not patching), and MS, to their credit, does eventualy support and "patch the patches."

-Brian

Janak Parekh
02-12-2004, 02:39 AM
But at the same time, one would be naive to assume no risk at installing these patches, even on standalone server products.
Right -- I have a W2k server box that almost completely dies when I install SP4. I worked with it for a whole day, couldn't get it to go. I was lucky as it was to be able to boot into safe mode and downgrade it to SP3. Now the box sits in SP3; fortunately, Microsoft will be supporting SP3 for quite some time, but when that ends, I'll have to either glue my ear to a phone for a day or reinstall the box. :|

Fortunately, I've been lucky with the rest of my boxes. But, since I remotely administer many of them, I have to schedule the updates, because I'm always fearful of the situation where they don't come back up and I get an extra field trip for free to a customer site.

Jonathan1 -- I agree with some of your points, but you realize all vendors require patches, right? The big difference between Windows and UNIX is that, in UNIX, most patches can be applied without a reboot, which is a great thing for remote administration.

--janak

beq
02-12-2004, 06:31 AM
I have a W2k server box that almost completely dies when I install SP4. I worked with it for a whole day, couldn't get it to go. I was lucky as it was to be able to boot into safe mode and downgrade it to SP3. Now the box sits in SP3; fortunately, Microsoft will be supporting SP3 for quite some time, but when that ends, I'll have to either glue my ear to a phone for a day or reinstall the box. :|

Last month I'd installed something on our Win2K SP4 servers at work that coincidentally disabled DFS as a side-effect. Which later brought down our AD, DB, mail, file servers for a whole day, causing either continuous reboot cycles or BSODs. Unfortunately I wasn't even there that day. I came in after hours to fix but nothing worked. Our OS CD is the original gold version (pre-SP1), so guess what finally happened to our poor servers? Yep, actually reverted the HDD OS files back to the CD version (shudder). The problem stopped, then reapplied SP4, IE6SP1, etc, but then the problem came back!

Long story short, turned out to be a severe bug (http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q824288) with Win2K SP4 (and only SP4) when DFS is disabled, apparently discovered by Microsoft last December. And the software vendor in question has since added this alert to their documentation.

Have since repatched everything but of course things got broken...

juni
02-12-2004, 07:22 AM
Thank God for sms distributions, saves a lot of leg work (with 8000 win2000 pcs). :)