Importance of Microsoft patches called understated

Some security experts rated a few of December's Microsoft bulletins higher than "important," and they explained why.

Security patches released last week by Microsoft seem to be working without a hitch so far, although some think that the company understated their importance.

Five, labeled "important" by the software company fix vulnerabilities in Windows that could have been exploited by attackers to run malicious code, to change or delete data or to cause a denial of service attack. MS03-028, affecting JPEG parsing (GDI+) in Windows, was also re-released to account for new updates for Microsoft Visual FoxPro 8.0 and the Windows .NET Framework 1.0 and 1.1 without Service Pack 1.

A sixth update, deemed "critical," was also released last week to address vulnerabilities in the XP SP2 firewall, but it was not included in the Tuesday release. Microsoft said last week that it did not release a bulletin along with the others because the problem was not new, nor was it a code vulnerability patch. Even so, IT administrators are puzzled as to why the company didn't announce the information with a security bulletin.

Mark Loveless, senior security analyst with Houston-based BindView Corp., said that his company rated some of the bulletins as higher priority than Microsoft. "We considered three of them to be high, like the DHCP one for NT, mainly because it was a remote compromise that didn't require any user intervention." He also said that MS04-045, addressing a WINS vulnerability and MS04-044, fixing a vulnerability in the Windows Kernel and LSASS that would have allowed a hacker to elevate privilege, fixed high-priority problems.

"They seemed pretty critical to me but I don't know what the metrics are to determine the ratings. I certainly patched my machines to those vulnerabilities," said Brian Bartlett, systems engineer at Ecora Software Corp. in Portsmouth, N.H. "I thought the ratings on them were understated as only important. Most of the vulnerabilities that were patched were the types where the hacker could take over the machine."

He said that while deploying the patches he found conflicts with previous Microsoft security patches. Security bulletins MS04-041, MS04-043 and MS04-044 overwrote a file that had been installed by MS04-038 and MS04-040. The file that is overwritten is the same version but a different size, Bartlett said.

As for whether the patches resolve the issues they were meant to remedy, Loveless said things are going smoothly so far.

"They do seem to be doing what they said they'd do," he said. "The main thing is to determine what risk behavior is going to look like so you've got to find the bug. Then you have to invoke the bug to a certain degree, and then you have to go with it. You're at the mercy of Microsoft."

Windows 2000 Server, XP, NT and Server 2003 are among the affected products.

This news story originally appeared on SearchWindowsSecurity.com.

Dig deeper on Windows Security: Alerts, Updates and Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close