Re: Will 839645 disable this?
From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 10/03/04
- Next message: George Hester: "Re: How can anyone install these Security updates?"
- Previous message: Lanwench [MVP - Exchange]: "Re: How can anyone install these Security updates?"
- In reply to: George Hester: "Re: Will 839645 disable this?"
- Next in thread: George Hester: "Re: Will 839645 disable this?"
- Reply: George Hester: "Re: Will 839645 disable this?"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 3 Oct 2004 12:49:51 -0400
George Hester wrote:
> Lanwench I appreciate your feedback. One thing you may not know.
> Although articles are relevant to Windows NT 4 and Windows 95 the
> technology that is in those systems, still apply to Windows 2000.
Well, not Win9x.
> Windows 2000 is after all Windows NT 5.
Yep.
> No it is not in my benefit
> to install a security update in the offchance and likely remote
> chance that I will be effected by it.
I don't agree, but your server isn't my server. :-)
>
> Let me explain by an example. Many security updates are NOT remote
> exploits. Exploits that are there by a user who logs on locally to
> the system and not as anonymous. Since that never happens on my
> servers those exploits I am pretty much immune to. And the risk of
> installing the security fix is more than the risk of someone with
> sufficient credentials is going to log on locally to my servers.
> Might happen yes but not likely.
Really depends on the patch. And for a lot of patches that protect against
exploits, if you don't keep *all* your machines on the network patched, one
unprotected workstation can take down your network. It's your call. I prefer
to be fairly zealous about patching. If you have the luxury of a lab
environment, test things out there first...that's always a good idea.
>
> We need to consider our security fixes as what is called Risk
> Assessment. There is a whole school of thought devoted to that.
> It's a science in its own right.
I'd argue that it's more of an arcane art. ;-)
> My application of it is probably
> not as it should be done but I am not going to ignore it. Again
> thanks for your feedback.
No problem - hope it was helpful.
>
>> George Hester wrote:
>>> Here is KB839645:
>>>
>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;839645
>>>
>>> This fixes a security issue with the Windows Shell. There is no
>>> workaround for it and so that means if I remove this security
>>> vulnerablity it is permanent. I don't really like doing that unless
>>> I know the reprocussions.
>>>
>>> On this page:
>>>
>>> http://www.microsoft.com/technet/security/bulletin/ms04-024.mspx
>>>
>>> we are directed to 839645 for a discussion of the known issues that
>>> can result from installing this security fix. All the issues seem
>>> to be specific to Windows XP and 2003. That's good for Windows
>>> 2000. But let's investigate further.
>>>
>>> Since 839645 says the it applies to Windows 2000 and there is no
>>> mention of Windows 2000 in the body of the article, we again are
>>> left in a quandry as to exactly how this fix can effect Windows
>>> 2000. To that end we must return to ms04-024.mspx link above and
>>> check out:
>> Affected software:
>>
>> ...
>>
>> Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000
>> Service Pack 3, Microsoft Windows 2000 Service Pack 4"
>>
>> and....
>>
>> Known issues
>> 871242 After you install security update 839645, you may again
>> experience symptoms that were fixed by hotfix 830411 for Windows XP
>> Service Pack 1
>>
>> 871262 Shortcuts on the desktop do not work after you install
>> security update 839645 in Windows NT 4.0
>>
>> So they don't mention any *known* issues installing this on W2k.
>>>
>>> FAQ for Windows Shell Vulnerability. In this it says:
>>>
>>> What does the update do?
>>> The update removes the ability to use a CLSID as a file type within
>>> Windows Shell
>>>
>>> So I am assuming this is what this update does to Windows 2000.
>>
>> Yes, it's what it does for all the OSes you install it on.
>>
>>> That's all well and good but exactly what does that mean? Well
>>> googling we find this:
>>>
>>> http://www.microsoft.com/msj/archive/S332.aspx
>>
>> What did you google for? That's an old article about WinNT4 and
>> Win95. Dated from 1996. How is it relevant? Are you using NT4, and
>> if so, did you make the listed registry & .ini changes in it?
>>
>>
>>> an old article. I am assuming that if we install this Shell
>>> security fix then that article becomes null and void. In other
>>> words the Shell security fix will result in that article no longer
>>> working.
>>
>> Sometimes it takes a while for MS to update KBs - and sometimes they
>> seem to forget to. And this wasn't a KB article....but again, is it
>> even relevant to your server(s)?
>>
>>> And if so that seems not such a bright idea.
>>> The fact that this is a remote exploit makes this issue more
>>> disturbing but again I need to consider the likelihood of running
>>> into such a remote exploit versus the implications of installing the
>>> security update.
>>>
>>> What's the opinion of the experts here? Thanks.
>>
>> Install it. Take backups first. You need to keep on top of your
>> updates.
- Next message: George Hester: "Re: How can anyone install these Security updates?"
- Previous message: Lanwench [MVP - Exchange]: "Re: How can anyone install these Security updates?"
- In reply to: George Hester: "Re: Will 839645 disable this?"
- Next in thread: George Hester: "Re: Will 839645 disable this?"
- Reply: George Hester: "Re: Will 839645 disable this?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
