October 12, 2004: Microsoft Patch Day Update

Whew--what a day! I spent most of the morning preparing for my presentation at the Virtual Server 2005 launch events (I'll be speaking in Kansas City, St. Louis, and Nashville). Everything was going along fine until lunchtime. That's when the monthly Microsoft vulnerability e-mail hit my inbox. I had to count them twice--but the total was still an unbelievable TEN vulnerabilities. In all fairness, one vulnerability only applies to NT 4.0 (which you aren't running anymore, right?). Still, nine vulnerabilities is a large number for one month. Well... no use complaining, let's jump right in and pick 'em apart.

Note: I'll update my patch spreadsheet tomorrow night on my way to St. Louis. For now you'll just need to combine the brief synopsis below with the current patch list to get the complete picture for each OS.

  • MS04-029: RPC Vulnerability in NT 4.0. In case you are wondering, NT 4.0 Workstation support is dead, and NT 4.0 Server support is on it's last leg (ends Dec. 31, 2004). Enough said.
  • MS04-030: WebDAV DoS Vulnerability. This update only applies to systems running IIS. Plus, WebDAV is not enabled by default in Windows 2003. So the real risk here is for web servers running Windows 2000 that don't have WebDAV disabled, or Windows 2003 servers that have WebDAV manually enabled. Bottom line - figure out where you stand with WebDAV and if you can't disable it then you should apply the patch for this vulnerability.
  • MS04-031: NetDDE Vulnerability. NetDDE is an older application communication technology that has mostly been replaced with DCOM. The NetDDE service is not enabled by default on any system. Therefore, unless you've enabled it (which probably means you need it) then you don't need this patch.
  • MS04-032: 4-in-1 Update for Kernel, etc. This is a high-priority update. Make sure you apply the update for these vulnerabilities on all workstations ASAP and on your servers during the next maintenance window.
  • MS04-033: Excel Vulnerability. Not a big deal if you're on the current service pack for your version of Office. You are running the most recent Office service pack, aren't you? If not, I'd suggest you spend your valuable time updating to the current Office service pack instead of only deploying the patch for this update.
  • MS04-034: Compressed (zipped) Folders Vulnerability. This vulnerability can only be exploited if you unzip a file using the built-in compressed folders utility (i.e. not WinZip). Therefore, if you are careful about your choice of ZIP files you can avoid this update on servers. I'd go ahead and apply it to workstations because you can never be too sure what users are going to do. ;)
  • MS04-035: SMTP Vulnerability. Another high-priority vulnerability to patch ASAP. Only applies to servers - not workstations. If you have Exchange 2003 servers which route mail to/from the Internet you need to apply this update IMMEDIATELY. If you have an SMTP relay server between your Exchange servers and the Internet you can relax a little bit. However, I'd say any Internet facing Exchange server should be updated on an emergency basis (with or without a maintenance window). This is a bad one!
  • MS04-036: NNTP Vulnerability. This vulnerability barely makes my "must-patch" list. However, in the rare instance that you are actually running NNTP you could be in for a serious hacking incident if you leave your servers unpatched. I'd still recommend disabling NNTP wherever possible (it's not required unless you're hosting newsgroups - Exchange public folders work fine without NNTP). If NNTP is disabled you can forego the patch for this vulnerability until the next service pack.
  • MS04-037: Windows Shell Vulnerability. 2-in-1 update. Both vulnerabilities are of the remote code execution family... which means they make my "must-patch" list. The only good news about these vulnerabilities is that they require user interaction to be exploited. And as you know, I give server administrators a lot more credit than the average user... meaning you can probably forego this update on servers and just focus on workstation deployment.
  • MS04-038: IE Cumulative Update. Always install the latest IE rollup fix. This update is no different. Run, don't walk, and install this on all servers and workstations.

Like I said before--Whew! It's 11:00 and I need my beauty sleep before tomorrow. I hope the descriptions above help you make sense of the October vulnerabilities. As always - your mileage may vary. I'll get the patch recommendation spreadsheet updated as soon as possible. Look for it in the next day or two. Until then, happy testing and patching (you are testing, right?).