Extra (out-of-sequence) security update: 23-Oct-08

[HansV]

Microsoft has announced that they will release a security update for Windows 2000, XP, 2003, Vista and 2008 on October 23, 10 AM Pacific Time (17:00 UTC). See Microsoft Security Bulletin Advance Notification for October 2008.

They must consider it very serious if they couldn't wait for the 'normal' release on the second Tuesday of the month.
As usual, Woody recommends *not* installing it yet, see Emergency Patches for Windows 200, XP and Server 2003.
I haven't experienced any problems with recent updates, I'll hazard installing it... <img src=/S/grin.gif border=0 alt=grin width=15 height=15>

[Argus]

As per the MSFT Security Bulletin there is some workarounds for those who don't want to apply the update at this time.

Disable the Computer Browser and Server services. (The Computer Browser service is dependent on the Server service.) They also mentions some additional measures (as (almost) per usual, if there is a workaround), but most people use a firewall and blocks TCP ports 139 and 445.

They say the following about workarounds, also as usual:
"Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality".

If one don't have a network, i.e. a stand alone system, the services could perhaps be disabled for now as a temporary workaround. Or be “hazardous” <img src=/S/grin.gif border=0 alt=grin width=15 height=15> and install it, or perhaps do nothing and wait. <img src=/S/smile.gif border=0 alt=smile width=15 height=15>

[HansV]

They also state that a firewall helps protecting against the problem, and that being logged in as a liimited user (default in Windows Vista and 2008) helps.

I installed the update without problems; I had to reboot my PC.

[Argus]

Yes, that was the cause why I mentioned:

"They also mentions some additional measures" [...] "use a firewall and blocks TCP ports 139 and 445."

But the two: use a firewall and block 139 & 445; is commonly seen in their workarounds, that was the reason I worded it that way. A reboot (restart in MSFT lingo) would be expected, since it is required in this case. Good to here the install went fine.

[bigaldoc]

Ordinarily I throw caution to the winds on any updates that MS calls security or important, but I think in this case I'm going with Woody on this one and gonna wait awhile to see what happens. My caution is brought about by the fact that, while in XP the updates page took a long, long, long time to even render on my screen and THAT makes me nervous! Was it just heavy traffic or what and since I have no way of knowing, I think I'll pass for awhile.

On the other hand, in my Vista system, the updates page came up right away, also showing an update for Windows Defender, but I still think I'll hold off for a few days to see what's cooking...

[BATcher]

There's an analysis of the requirement for the patch in the latest Windows Secrets newsletter... (if you can get the site to load - it seems to be busy!)

[bigaldoc]

They've also sent out a special email with this update. So, I changed my mind and ran the XP update without a problem. Just for the heck of it, I re-checked the Windows Update site and it says I'm up to date now. <!profile=Yerubal>Yerubal<!/profile> made <post:=739,328>post 739,328</post:> in the Security Forum. I wonder, Hans, if this thread should be moved there?

[HansV]

Jefferson added a link to this one, so now the notice can be found both here and in the security forum.

[viking33]

Just as comforting info, I installed this patch an BOTH my XP and Vista partitions last night.
All went well, no hitches or glitches.

Judging by the descriptions of the need for this patch, I think it should be installed by all ASAP.

[djmoore]

I guess an oops is in order, but I posted a message in the Windows Servers area on this patch before I came over here and found this thread.

I installed the patch on a Windows Server 2003 R2 Terminal Services server and ran into problems connecting out to the internet; presumably it's an issue with specific ports, but with the patch installed I could not do any research from either the server or from my laptop, which connection was also affected by the patch, so I uninstalled it. We run a Sonicwall firewall here anyway, so I'm not AS worried as I would be otherwise.

I DID install it on my home PC (XP Pro, SP3) last night, though, and as of this morning I wasn't seeing any problems with internet access in that environment.

[Duchess843]

I was notified of the emergency patch by reading Windows Secrets which I generally read first. No sooner than I digested what it was saying I installed the patch. That bad thing won't get me.

[Argus]

With the MS06-040, for the Server service, some years ago they had to release a second version of the update for: Windows Server 2003 SP1 (32/64) and Windows XP Professional x64 Edition, due to some memory problems running 32-bit applications on the mentioned operating systems.

[unkamunka]

>Disable the Computer Browser and Server services.

Are we saying - or is it being said - that if these services are turned to Manual startup (as opposed to the default Automatic) that the exploit will start them?

[Argus]

Good question. I am no security expert nor do I have any deeper knowledge about the Windows services, but:
Since the vulnerability discussed (remote code execution) is caused by the Server service not properly handling specially crafted RPC requests, I would say that if the Server service is in manual a RPC request could start it. Thus the mentioned workaround at MSFT.

A service starts if required or called upon from software, but I don't know if every service behaves the same when in Manual.

As for the Computer Browser service, since it depends on the Server service and the problem is with the Server service, disabling the Server service would get Computer Browser service in problem. Therefore they mention disabling Computer Browser service first (it depends on Server), then they mention the Sever service. Nothing else depends on the Server service but the Computer Browser service.

I installed the update on Windows XP system some day ago and so far no problems.

I must say I first thought that some of the reports (about the update) at some sites were a little alarmist (MSFT goes out of cycle etc.), the situation for, for instance, Windows XP is better than before SP2 as we all know; the firewall is enabled by default and the Security center made people aware of security issues etc. But even with a firewall people can get problems if they use file and printer sharing in this case.

[djmoore]

Is the jury still out about this patch?
I'm not one to discount the chance of coincidence, but I have two separate clients both of whose servers autgo-installed this patch; the first I have described in the Windows Server forum, and we had problems, so I uninstalled the patch on both servers - they are still having intermittent connectivity problems which we cannot isolate, but neither can we attribute to this patch or its uninstallation.
The second client (where I am today) is having network printing issues, but in addition a few users, when they log in, say they get a popup message about an IP address change (I have yet to see this message, though, so I am not sure of its nature or even what it actually states). Again, nothing to tie it to the patch or its absence (I uninstalled it on all 3 servers here last week) - but I'm nervous on two levels - one, they might have deep problems caused by removing this patch. two, I can easily go from the good guy for catching the patch alert and acting on it to protect our clients, to the bad guy for uninstalling a patch and thus exposing them to whatever happened.
And today I received an email from Shavlik Technologies stating

<hr>Join Shavlik Security Experts on November 4th to Discuss Why MS08-067 is Critical to Apply Immediately.*
The release of MS08-67 marks only the fourth time that Microsoft has released an out-of-band patch. While it may be tempting to wait to apply this patch with other bulletins on November’s Patch Tuesday, delaying may give hackers just enough time to infiltrate your network, take control of vulnerable computers, and steal sensitive data with no blue screen of death to indicate their presence.<hr>

So ... has there been a determination, either from Woody or from anyone else to indicate how this patch behaves with Windows Server 2003 (R2)? Shavlik may make me nervous, but Woody is still the go-to guy.