Will 839645 disable this?

[George Hester]

Here is KB839645:

http://support.microsoft.com/default.aspx?scid=kb;en-us;839645

This fixes a security issue with the Windows Shell. There is no workaround for it and so that means if I remove this security vulnerablity it is permanent. I don't really like doing that unless I know the reprocussions.

On this page:

http://www.microsoft.com/technet/security/bulletin/ms04-024.mspx

we are directed to 839645 for a discussion of the known issues that can result from installing this security fix. All the issues seem to be specific to Windows XP and 2003. That's good for Windows 2000. But let's investigate further.

Since 839645 says the it applies to Windows 2000 and there is no mention of Windows 2000 in the body of the article, we again are left in a quandry as to exactly how this fix can effect Windows 2000. To that end we must return to ms04-024.mspx link above and check out:

FAQ for Windows Shell Vulnerability. In this it says:

What does the update do?
The update removes the ability to use a CLSID as a file type within Windows Shell

So I am assuming this is what this update does to Windows 2000. That's all well and good but exactly what does that mean? Well googling we find this:

http://www.microsoft.com/msj/archive/S332.aspx

an old article. I am assuming that if we install this Shell security fix then that article becomes null and void. In other words the Shell security fix will result in that article no longer working. And if so that seems not such a bright idea.
The fact that this is a remote exploit makes this issue more disturbing but again I need to consider the likelihood of running into such a remote exploit versus the implications of installing the security update.

What's the opinion of the experts here? Thanks.

 

[Lanwench [MVP - Exchange]]

Here is KB839645:

http://support.microsoft.com/default.aspx?scid=kb;en-us;839645

This fixes a security issue with the Windows Shell. There is no
workaround for it and so that means if I remove this security
vulnerablity it is permanent. I don't really like doing that unless
I know the reprocussions.

On this page:

http://www.microsoft.com/technet/security/bulletin/ms04-024.mspx

we are directed to 839645 for a discussion of the known issues that
can result from installing this security fix. All the issues seem to
be specific to Windows XP and 2003. That's good for Windows 2000.
But let's investigate further.

Since 839645 says the it applies to Windows 2000 and there is no
mention of Windows 2000 in the body of the article, we again are left
in a quandry as to exactly how this fix can effect Windows 2000. To
that end we must return to ms04-024.mspx link above and check out:

Affected software:

....

Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack
3, Microsoft Windows 2000 Service Pack 4"

and....

Known issues
871242 After you install security update 839645, you may again experience
symptoms that were fixed by hotfix 830411 for Windows XP Service Pack 1

871262 Shortcuts on the desktop do not work after you install security
update 839645 in Windows NT 4.0

So they don't mention any *known* issues installing this on W2k.

FAQ for Windows Shell Vulnerability. In this it says:

What does the update do?
The update removes the ability to use a CLSID as a file type within
Windows Shell

So I am assuming this is what this update does to Windows 2000.

Yes, it's what it does for all the OSes you install it on.

That's all well and good but exactly what does that mean? Well
googling we find this:

http://www.microsoft.com/msj/archive/S332.aspx

What did you google for? That's an old article about WinNT4 and Win95. Dated
from 1996. How is it relevant? Are you using NT4, and if so, did you make
the listed registry & .ini changes in it?

an old article. I am assuming that if we install this Shell security
fix then that article becomes null and void. In other words the
Shell security fix will result in that article no longer working.

Sometimes it takes a while for MS to update KBs - and sometimes they seem to
forget to. And this wasn't a KB article....but again, is it even relevant to
your server(s)?

And if so that seems not such a bright idea.
The fact that this is a remote exploit makes this issue more
disturbing but again I need to consider the likelihood of running
into such a remote exploit versus the implications of installing the
security update.

What's the opinion of the experts here? Thanks.

Install it. Take backups first. You need to keep on top of your updates.

 

[George Hester]

Lanwench I appreciate your feedback. One thing you may not know. Although articles are relevant to Windows NT 4 and Windows 95 the technology that is in those systems, still apply to Windows 2000. Windows 2000 is after all Windows NT 5. No it is not in my benefit to install a security update in the offchance and likely remote chance that I will be effected by it.

Let me explain by an example. Many security updates are NOT remote exploits. Exploits that are there by a user who logs on locally to the system and not as anonymous. Since that never happens on my servers those exploits I am pretty much immune to. And the risk of installing the security fix is more than the risk of someone with sufficient credentials is going to log on locally to my servers. Might happen yes but not likely.

We need to consider our security fixes as what is called Risk Assessment. There is a whole school of thought devoted to that. It's a science in its own right. My application of it is probably not as it should be done but I am not going to ignore it. Again thanks for your feedback.

 

[Lanwench [MVP - Exchange]]

Lanwench I appreciate your feedback. One thing you may not know.
Although articles are relevant to Windows NT 4 and Windows 95 the
technology that is in those systems, still apply to Windows 2000.

Well, not Win9x.

Windows 2000 is after all Windows NT 5.
Yep.

No it is not in my benefit
to install a security update in the offchance and likely remote
chance that I will be effected by it.

I don't agree, but your server isn't my server.

Let me explain by an example. Many security updates are NOT remote
exploits. Exploits that are there by a user who logs on locally to
the system and not as anonymous. Since that never happens on my
servers those exploits I am pretty much immune to. And the risk of
installing the security fix is more than the risk of someone with
sufficient credentials is going to log on locally to my servers.
Might happen yes but not likely.

Really depends on the patch. And for a lot of patches that protect against
exploits, if you don't keep *all* your machines on the network patched, one
unprotected workstation can take down your network. It's your call. I prefer
to be fairly zealous about patching. If you have the luxury of a lab
environment, test things out there first...that's always a good idea.

We need to consider our security fixes as what is called Risk
Assessment. There is a whole school of thought devoted to that.
It's a science in its own right.

I'd argue that it's more of an arcane art. ;-)

My application of it is probably
not as it should be done but I am not going to ignore it. Again
thanks for your feedback.

No problem - hope it was helpful.

 

[George Hester]

Now that's a funny one. Risk Analysis an arcane art. OK! I don't think Wall Street holds that opinion or the major Insurance Cos in the USA or NASA or...me.

http://www.actuarialcareers.com/main-page.asp?whatpage=showjobs&jobtype=pi

Check out the salary for Risk Analysis professionals.