By Susan Bradley
For a week that only resulted in one patch bulletin, there still seems to be a lot for me to wade through this month.
Perhaps some of that’s due to the fact that I’ve been doing my homework on my servers at the office. I’m getting ready to apply Small Business Server 2003 Service Pack 1, which is due prior to the end of May, plus SQL Server 2000 SP4/MSDE SP4 for databases.
The advantages of SP4 for SQL Server are two-fold: Hotfixes will for the first time be able to be uninstalled, and 32-bit applications running on the new 64-bit systems will be supported.
In a future column, I’ll include a link to a listing of items to specifically look out for when applying SBS 2003 SP1. In general, you should make sure before you apply a major service pack that you have a good backup and in particular a system state backup. This ensures that key elements on your server are backed up and retained should something occur.
Also, I always disable antivirus software before applying major service packs, and always reboot my server right before, just to make sure I have a healthy system. You should review the log files to check that there are no unusual entries, and note the normal pattern of events. This will help you keep an eye on any usual “post-patch events.”
Speaking of post-patch events, let’s revisit some of the patches we’ve had in prior months for some lingering issues.
Hotfix re-released, new MS05-019 coming, too
MS05-019 (893066): I’m still tracking issues with MS05-019. The Microsoft hotfix described in KB 898060, which was originally released to correct network connectivity problems with MS05-019 and Windows Server 2003 SP1, was re-releasedon May 9. Read the re-release notes, because in some cases you’re supposed to install the new fix, while in other cases you’re not.
Normally, the process of obtaining hotfixes is pretty fast and pain-free. In this case, I thought it a bit odd that I had to talk to a Networking Engineer, plus the patch wasn’t immediately packaged up for me before I obtained the original version of the patch.
Now it makes more sense. Hotfixes are ordinarily an easy, free call with minor fuss. But this time I got follow-up calls several times on this hotfix. This is the first time in a long time that I remember so many follow-ups. The reason they give for the hotfix process is that it allows for follow-up, and this should have been a clue to me that there was an issue with the fix.
Microsoft added a note to MS05-019 on May 11 that the entire security update will be re-released in June 2005, presumably on Patch Tuesday of that month. If you’re not having network connectivity problems after installing the April 12 version of MS05-019, MS recommends that you continue using it (or install it now, if you haven’t already) rather than waiting for the June version to come out.
Details on Snap Server and Mac write problems
MS05-011 (885250): In the Feb. 24, 2005, newsletter, I discussed issues with Adaptec Snap Servers and problems saving files after installing MS05-011. We finally have some Knowledge Base articles to sink our teeth into.
KB 896432 covers the issues with Snap Servers — you can use a workaround or obtain a patch from Adaptec. KB 896433 discusses issues with Macintosh computers.
MS releases one patch rated ‘Important’
MS05-024 (894320): We now come to the patch of the month. This fixes a security hole that allows files to infect your computer if they are merely selected (not opened) in Windows Explorer in Windows 2000.
The problem was discussed in last month’s newsletter in an article by Chris Mosby. He described a simple workaround that many network administrators do anyway: Configure Windows Explorer to use its “classic folder” view instead of its “Web folder” view.
Keep in mind that because this patch is rated merely “Important,” there will be no patch for Windows Me machines. Only “Critical” patches are released on Windows Update. Thus, if you feel concerned about this issue and have older machines, merely avoid the threat by right-clicking My Computer, then Tools, Folder Options. On the General tab, click Use Windows Classic Folders. To fall victim to the exploit, you’d have to select an infected file or click on a malicious Web page, which would prompt you to click a link or take some other action.
Microsoft is changing its alert mechanism
My cell phone buzzed and my instant messenger also popped up with notifications of this month’s patch. (See example.) Both were sending me messages regarding this month’s security bulletins. Remember, Microsoft’s traditional security e-mails will be ending in July. New notification mechanisms will be taking over at that time.
To get security alerts via MSN Messenger, Windows Messenger, e-mail, or a mobile device, see Microsoft’s alerts registration page. For more information, including RSS feeds, see MS’s technical security notifications page.
New ‘security advisories’ start this month
This week we’re seeing the first of Microsoft’s new “security advisories.” These aren’t security bulletins, as such, but will advise us of important issues, whether or not a patch is available.
The first two advisories were issued on May 10, which is Patch Tuesday, but MS security program manager Stephen Toulouse said in an interview that future advisories will not necessarily come out at the same time as patches.
The first describes a vulnerability in Windows Media Player 9 and 10. MS released patches for these two programs in March via KB 892313.
The second explains the new, optional “tar pit” feature of Exchange Server 2003 in Windows Server 2003 SP1. This allows admins to chew up the CPU time of Internet servers suspected of sending spam or running dictionary harvesting.
XP SP2 gets WPA2 Wi-Fi upgrade
One patch that probably should have been included in this month’s security advisories, described above, is the new upgrade to WPA2 (Wireless Protected Access 2) for Windows XP SP2. KB 893357 offers a download that increases Wi-Fi security. It’s being widely deployed in organizations. I recommend you get it.
Windows Installer is missing in action
Windows Installer 3.1 was removed on May 3 from Software Update Services, Microsoft’s patch-download application. This was confirmed by Microsoft in a note in KB 894199. Windows Installer would fail to install updates that attempted to upgrade one of Windows’ protected system files, causing issues with some applications, according to KB 898628.
Firefox 1.0.4 adds to browser vulnerability wars
The Greyhats Security Group identified this week a new vulnerability in Firefox. The flaw was made public when proof-of-concept code was unexpectedly released by the French Security Incident Response Team in an advisory. A hacker Web site could infect a Firefox user’s machine, using the Mozilla install-software function, if the user clicked an IFRAME on a page.
Fortunately, the security hole was mitigated by changes the Mozilla Foundation made to its software-download server. These changes should keep such an attack from working. No exploits have been reported in the wild at this writing, but a Firefox upgrade to version 1.0.4 has just been released that will close the hole for good. (See Brian Livingston’s story, above.)
It doesn’t seem necessary for you to do anything, except install 1.0.4 when it comes out. But if you’re concerned, there’s an easy workaround, according to a Sans.org posting. This involves turning off a configuration setting called Allow Web sites to install software. To do this in Firefox, click Tools, Options, Web Features. This reconfiguration is hardly needed, because by default only Mozilla servers are authorized to download software, for the purpose of installing updates to Firefox.
The Greyhats posting included an ominous warning that other vulnerabilities have been found. (The post suggests these will not be revealed to whomever presumably leaked Greyhats’ proof-of-concept code to French SIRT.) Hopefully, these weaknesses have been disclosed to Firefox developers and will also be corrected in version 1.0.4. But the discussion just reinforces my paranoid belief that no browser should be trusted and you should consider Internet surfing one of your most dangerous activities. Always ensure you’re keeping yourself closely aligned with Brian’s Security Baseline (above) and have the necessary components to run a safe computer. As always, be careful out there.
Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title bestowed by Microsoft on independent experts who do not work for the company. Known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003, she’s a partner in a CPA firm and spends her days cajoling vendors into coding more securely.