By Susan Bradley
Where has the week gone? We started with a new pope, we’re still shaking out issues with both Windows 2003 SP1 and Microsoft’s April patches, and I’ve decided that turning Japanese is the way to go. At least when it comes to security bulletins, anyway.
Let’s start off with the language situation, and then turn to some issues I’ve seen that’ve cropped up since my last Patch Watch.
Why Japanese bulletins are clearer
It was Steve Riley, a senior program manager in Microsoft’s Security Business and Technology Unit, who first pointed out that the Japanese version of Microsoft security bulletins are actually very helpful in clearly identifying how the "bad guys" can get you.
While it may otherwise take several pages of reading to come to conclusions in any bulletin (regardless of your language), looking at the pictures in the Japanese security bulletins can, interestingly enough, be quite helpful in understanding the impact.
Take, for example, two bulletins I showcased in the last issue as being critical: MS05-021 (894549), the Exchange server security issue, and MS05-023 (890169) the Office patch. On the Japanese Web site, MS05-021 looks like this, and MS05-023 looks like this.
Above: Illustration from the Japanese version of MS05-021.
Having pictures that demonstrate how something will "get you" helps me better understand the risks.
2003 SP1 bonks MOM Admin Console
First off, Microsoft’s Operations Manager (aka "MOM") had issues with the Administrator Console failing after you install Windows 2003 SP1. There’s now a patch available to fix this issue.
TCP/IP patch causing a few fits
Security Bulletin MS05-019 (893066) is so far the "problem bulletin" of the April batch. Issues have been reported on NTBugtraq regarding VPN and FTP issues. So far, one of the recommended workarounds for Windows 2003 we’ve been seeing is to adjust the MTU setting on clients and on the servers to 1400.
Proofs of concept circulate before fixes
Historically speaking, two years ago we had about 12 months between when a patch was released and when we saw exploits "in the wild." Around a whole year could go by before you truly saw worms, viruses or exploits circulating on the Web.
These days, I’ve seen so much "test exploit code" and so many "proofs of concept" pass through my e-mail since the April 12 bulletins came out that I’ve lost count of which flaws don’t have such things already floating around the Web.
The Security Mentor blog touched on how the progression from patch to proof-of-concept to exploit to worm is getting shorter and shorter. I recently did a Webcast on Windows Patches and included a table of the shortening time frame we have these days between patching and exploit. We’re now even suffering from "security firms" that disclose vulnerabilities before there’s a patch.
The MSRC blog, in fact, has a discussion regarding a recently published exploit, which affects Windows folder views, for which there’s no patch at this time. (See "Windows 2000 Web views can be expoited" in Chris Mosby’s column, above.)
My view is similar to that of the Microsoft Security Response Center — it would take quite a bit of user interaction for this to affect my company. Therefore, I place a higher priority on people installing the MS05-021 (894549) Exchange patch and the MS05-023 (890169) Office patch, both of which came out on April 12. Many small firms do not have automatic patch tools that will roll these two fixes out. (See my article in the Apr. 14 newsletter for instructions on downloading these patches manually.)
Patching tools are coming our way
I read the great news this week that both WSUS (Windows Server Update Services) and MU (Microsoft Update) appear to be on track to be released in June. WSUS is the small- and medium-business patch tool (formerly called Software Update Service) that will allow a firm to download patches to a server and then deploy the patch. Microsoft Update is the next version of Windows Update, which will support Windows and Office patches as well as Windows bump revs. When these two tools come out, we’ll have a lot more help managing patches on our systems.
Opera’s siren song is getting louder
Apple users, don’t forget to patch
Vulnerabilities come in all shapes and sizes, and this month is no exception. Apple users are urged to upgrade to the 10.3.9 version due to some critical patches that just came out. As in any operating system these days, there’s a new browser patch to protect against HTML and Java exploits.
Last but not least
I typically end Patch Watch columns with a reminder that you need to contact Microsoft Product Support Services and urge MS to resolve any issues you find with patches. This was recently emphasized on the security blog of Microsoft employee Jerry Bryant. If we don’t call in, these issues won’t get resolved.
Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title bestowed by Microsoft on independent experts who do not work for the company. Known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003, she’s a partner in a CPA firm and spends her days cajoling vendors into coding more securely.