MS04-011 (835732): Out of four major security updates released on Apr. 13 by Microsoft on its regular monthly patch schedule, the MS04-011 bulletin stands out as a whopper. It replaces more than a dozen previous security patches that Microsoft delivered to users during the past five years. In doing so, it attempts to close 14 newly discovered weaknesses.
Redmond rates the importance of the update as “critical” — its most severe risk category — and notes that it fixes problems on all recent versions of Windows: NT 4, 2000, XP, and Server 2003. Windows 98 and Me are not critically affected, Microsoft says.
A revised version of the security bulletin was released as recently as Apr. 21 to add NT 4 detection capabilities to Microsoft’s Baseline Security Analyzer (MBSA) and make other technical changes. If you downloaded the patch prior to Apr. 21, you should check it again.
Of the 14 security flaws that are corrected by the update, 8 of them allow intruders to remotely gain control of Internet-connected machines and run rogue software on them. This makes it urgent that vulnerable machines be prepared against attacks.
Unfortunately, MS04-011 — like a small number of other security updates in the past couple of years — seems to have coding errors. Users have reported machines that have become useless, with 100% CPU utilization or constant rebooting, along with other problems.
For this reason, I recommend that you examine the workarounds in the Vulnerability Details section of the MS04-011 bulletin to see if they would be sufficient to protect your particular hardware/software configuration without installation of the update itself. I’ll report more details in future issues of Brian’s Buzz as they become known.