Zotob worm patch?

[t.cruise]

I know that many in this group support downloading Windows XP updates. Personally, I
download and install ONLY what is absolutely necessary, which for me has avoided problems
with smooth running systems. There has been much media attention the past couple of days
about the Zotob worm, I.E., PnP and compromised Windows security. I know that there is a
patch available for download at the Microsoft web site
WindowsXP-KB899588-x86-ENU.exe

But, there has been mass media hysteria in the past about viruses and worms, none of which
have made their way to any of my systems with broadband internet connections, without my
having to download and install the plethora of security patches at the Windows Update. My
question is, if I have a decent firewall am I already protected, or do I really need to
install this patch?

 

[Carey Frisch [MVP]]

All "critical updates" are considered "absolutely necessary" to maintain
the security of your Windows XP operating system.

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

-------------------------------------------------------------------------------------------

:

| I know that many in this group support downloading Windows XP updates. Personally, I
| download and install ONLY what is absolutely necessary, which for me has avoided problems
| with smooth running systems. There has been much media attention the past couple of days
| about the Zotob worm, I.E., PnP and compromised Windows security. I know that there is a
| patch available for download at the Microsoft web site
| WindowsXP-KB899588-x86-ENU.exe
|
| But, there has been mass media hysteria in the past about viruses and worms, none of which
| have made their way to any of my systems with broadband internet connections, without my
| having to download and install the plethora of security patches at the Windows Update. My
| question is, if I have a decent firewall am I already protected, or do I really need to
| install this patch?
| --
|
| T.C.

 

[Fuzzy Logic]

I know that many in this group support downloading Windows XP updates.
Personally, I download and install ONLY what is absolutely necessary,
which for me has avoided problems with smooth running systems. There
has been much media attention the past couple of days about the Zotob
worm, I.E., PnP and compromised Windows security. I know that there is
a patch available for download at the Microsoft web site
WindowsXP-KB899588-x86-ENU.exe

But, there has been mass media hysteria in the past about viruses and
worms, none of which have made their way to any of my systems with
broadband internet connections, without my having to download and
install the plethora of security patches at the Windows Update. My
question is, if I have a decent firewall am I already protected, or do I
really need to install this patch?
--

T.C.
t__cruise@[NoSpam]hotmail.com
Remove [NoSpam] to reply

Of course you don't NEED to install the patch. You MAY be safe but on the
other hand the patch is free and a small download so why not install it?

I'd be curious how you decide what is absolutely necessary? In my books that
would be any patches classified as critical.

 

[t.cruise]

I respect your opinion. I have found, what Microsoft considers critical, is not always
critical. Many critical updates should have a disclaimer: If you are using a decent
firewall, then this update is not necessary. My question was not answered though. If one
has a decent firewall, will that stop the zotob worm from infecting a system?

 

[Leythos]

I'd be curious how you decide what is absolutely necessary? In my books that
would be any patches classified as critical.

While all patches are critical of nature, until you test them against
your environment there is little reason to blindly install them, unless
the patch provides immediate protection for a problem you are
immediately exposed too. In many cases the exposure path is limited and
you can safely wait/test the patches and then install them.

 

[Leythos]

My question was not answered though. If one
has a decent firewall, will that stop the zotob worm from infecting a system?

Your question has no direct answer as we don't know your network.

Ask yourself this - do you know how it gets into a network? All possible
paths?

Does your firewall protect you from all of those paths?

 

[t.cruise]

I know that many in this group support downloading Windows XP updates.
Personally, I download and install ONLY what is absolutely necessary,
which for me has avoided problems with smooth running systems. There
has been much media attention the past couple of days about the Zotob
worm, I.E., PnP and compromised Windows security. I know that there is
a patch available for download at the Microsoft web site
WindowsXP-KB899588-x86-ENU.exe

But, there has been mass media hysteria in the past about viruses and
worms, none of which have made their way to any of my systems with
broadband internet connections, without my having to download and
install the plethora of security patches at the Windows Update. My
question is, if I have a decent firewall am I already protected, or do I
really need to install this patch?
--

T.C.
t__cruise@[NoSpam]hotmail.com
Remove [NoSpam] to reply

Of course you don't NEED to install the patch. You MAY be safe but on the
other hand the patch is free and a small download so why not install it?

I'd be curious how you decide what is absolutely necessary? In my books that
would be any patches classified as critical.

It would be for an immediate problem, such as support for hardware, which was not
available prior to the update. Aside from that, when it comes to security, the Zone
Alarm firewall, and safe internet computing practices have kept my systems clean and
running smoothly, without downloading even one Windows Update for the past couple of
years. I never updated my SP1 systems to SP2, and all is fine with them. I know the
hardware/drivers/Software/Utilities and resources on those systems, and looked at the risk
v. benefit of updating them to SP2. I decided not to. I realize that the majority of
people who updated to SP2 did not have any problems, but some had major problems during
and after the SP2 update. My SP1 systems are still running fine. I realize that there
are many people who will disagree with my practices and logic. Working on other people's
systems is one thing. But, downloading an update which does not play nice with one of my
configurations is something that I do not want to waste time fixing, even if the fix only
involves an hour of my time. Or, downloading an update and then needing to do a System
Restore to a time prior to the download of that update, because of another problem, which
would mean downloading the update again, is something I do not want to have to keep track
of, or get involved with, unless absolutely necessary.

 

[Fuzzy Logic]

While all patches are critical of nature, until you test them against
your environment there is little reason to blindly install them, unless
the patch provides immediate protection for a problem you are
immediately exposed too. In many cases the exposure path is limited and
you can safely wait/test the patches and then install them.

I was referring to patches classified as 'critical' by Microsoft. For more
info on Microsoft's ratings visit this site:

http://www.microsoft.com/technet/security/bulletin/rating.mspx

A quote from the above site:

"We believe that customers who use an affected product should almost always
apply patches that address vulnerabilities rated critical or important.
Patches rated critical should be applied in an especially timely manner."

If you read the bulletins there are often other ways to address the
vulnerability which can be used while you test the patch.

I support about 600 users all using automatic update (critical patches
installed as soon as they are available) has been that we haven't had a
problem with these updates since the days of Windows NT. Of course your
environment may be different.

 

[t.cruise]

My systems are not networked to each other. Each is stand alone, with its own Road Runner
internet connection. Each has the Zone Alarm firewall.
--

T.C.
t__cruise@[NoSpam]hotmail.com
Remove [NoSpam] to reply

 

[Leythos]

I was referring to patches classified as 'critical' by Microsoft. For more
info on Microsoft's ratings visit this site:

Yes, I know what you were referring to, and my statement stands.

Some users can put up with Automatic Updates, others require testing
before installation, either way, if the network security is properly
setup none of those patches are critical. Keep in mind, I'm not saying
that they are not critical to most systems, only that if you have a
fully protected network, you don't need them until after you've tested.

 

[Leythos]

My systems are not networked to each other. Each is stand alone, with its own Road Runner
internet connection. Each has the Zone Alarm firewall.

Then each is vulnerable to exploits - Personal Firewall installations,
applications that run on top a users computer while the user can use the
computer are by no means perfect (and yes, we run ZA Prof, Kerio, and
several others on our laptops when we go to customers locations). If you
have road runner (as do I) and you don't at least have a NAT router,
then you are just assuming you are protected against the next thing.

Get a NAT router at least.

 

[R. McCarty]

I think some of the victims of Zotob had their initial infection
brought in by notebooks that spread it into their network. Now
with USB Flash devices there is even more portable "Threats"
to a business network.

 

[MAP]

This is for XP only!!!
The scumbag trying to use the PnP exploit has to have
1.Access to your keyboard or
2.Admin rights to exploit this remotely

From M/s website under mitigating factors of this hotfix
Mitigating Factors for Plug and Play Vulnerability - CAN-2005-1983:
. On Windows XP Service Pack 2 and Windows Server 2003 an attacker
must have valid logon credentials and be able to log on locally to exploit
this vulnerability. The vulnerability could not be exploited remotely by
anonymous users or by users who have standard user accounts. However, the
affected component is available remotely to users who have administrative
permissions.

. On Windows XP Service Pack 1 an attacker must have valid logon
credentials to try to exploit this vulnerability. The vulnerability could
not be exploited remotely by anonymous users. However, the affected
component is available remotely to users who have standard user accounts.

. Firewall best practices and standard default firewall configurations
can help protect networks from attacks that originate outside the enterprise
perimeter. Best practices recommend that systems that are connected to the
Internet have a minimal number of ports exposed.

When you say that M/S has a habit of saying everything is "critical"
or must have you are right.

 

[Fuzzy Logic]

I respect your opinion. I have found, what Microsoft considers
critical, is not always critical. Many critical updates should have a
disclaimer: If you are using a decent firewall, then this update is not
necessary. My question was not answered though. If one has a decent
firewall, will that stop the zotob worm from infecting a system?

First of all if you are running any OS other than Windows 2000 you are
unlikely to be affected . Secondly a firewall blocking ports 139 and 445
while prevent the attack. For more information I would suggest that you
visit this page:

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

Click on Vulnerability Details and expand it until you get to Workarounds.

PS I want to slap you upside the head! While there are often other ways to
prevent attacks why not fix the problem? What happens if your firewall fails
or you misconfigure it?

 

[Leythos]

I think some of the victims of Zotob had their initial infection
brought in by notebooks that spread it into their network. Now
with USB Flash devices there is even more portable "Threats"
to a business network.

I agree, and in many instances, if you don't give them Admin rights on
the local computer they can't connect the USB drives

Laptops are always a problem and have always been a threat - but you can
still take standard measures to protect your network against them.

 

[Leythos]

PS I want to slap you upside the head! While there are often other ways to
prevent attacks why not fix the problem? What happens if your firewall fails
or you misconfigure it?

Are you serious? If the firewall fails you don't have any internet
access in most cases. If you misconfigure it, most times you're still
not exposed enough to cause a problem. Many people test their firewalls
against intrusion, so it's easy to tell if one is "misconfigured" if the
admin cares.

 

[Carey Frisch [MVP]]

I'm sure all the companies that got hit with the Zotob worm had
firewalls enabled. Microsoft issued a critical update over a week
ago to prevent this infection. I guess they too thought a firewall
was all they need....guess they were wrong.

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

-------------------------------------------------------------------------------------------

:

|I respect your opinion. I have found, what Microsoft considers critical, is not always
| critical. Many critical updates should have a disclaimer: If you are using a decent
| firewall, then this update is not necessary. My question was not answered though. If one
| has a decent firewall, will that stop the zotob worm from infecting a system?
| --
|
| T.C.

 

[Fuzzy Logic]

Are you serious? If the firewall fails you don't have any internet
access in most cases. If you misconfigure it, most times you're still
not exposed enough to cause a problem. Many people test their firewalls
against intrusion, so it's easy to tell if one is "misconfigured" if the
admin cares.

Yes I'm serious. Firewalls have bugs too! The original poster is relying
ENTIRELY on his firewall (a software one at that) to protect him. Why not
apply the patches and get the additional level of security? I can understand
waiting a while or doing some testing beforehand but there is no good reason
not to apply critical patches.

 

[MAP]

This is just what I've noticed over the past year or so,these so called
"critical" updates are geared to bussiness or networks many (may) not apply
to the home user.The PnP exploit comes to mind,why should I care about this
update which requires valid logon cred. and physical acces to my computer
(or admin rights) to exploit, when the only people who have access to it are
my wife and myself?
It seems more likely to apply to a company that doesn't trust its employees.

--
Mike Pawlak

 

[Fuzzy Logic]

I know that many in this group support downloading Windows XP
updates. Personally, I download and install ONLY what is absolutely
necessary, which for me has avoided problems with smooth running
systems. There has been much media attention the past couple of days
about the Zotob worm, I.E., PnP and compromised Windows security. I
know that there is a patch available for download at the Microsoft
web site WindowsXP-KB899588-x86-ENU.exe

But, there has been mass media hysteria in the past about viruses and
worms, none of which have made their way to any of my systems with
broadband internet connections, without my having to download and
install the plethora of security patches at the Windows Update. My
question is, if I have a decent firewall am I already protected, or
do I really need to install this patch?
--

T.C.
t__cruise@[NoSpam]hotmail.com
Remove [NoSpam] to reply

Of course you don't NEED to install the patch. You MAY be safe but on
the other hand the patch is free and a small download so why not
install it?

I'd be curious how you decide what is absolutely necessary? In my books
that would be any patches classified as critical.

It would be for an immediate problem, such as support for hardware,
which was not available prior to the update. Aside from that, when it
comes to security, the Zone Alarm firewall, and safe internet computing
practices have kept my systems clean and running smoothly, without
downloading even one Windows Update for the past couple of years. I
never updated my SP1 systems to SP2, and all is fine with them. I know
the hardware/drivers/Software/Utilities and resources on those systems,
and looked at the risk v. benefit of updating them to SP2. I decided
not to. I realize that the majority of people who updated to SP2 did
not have any problems, but some had major problems during and after the
SP2 update. My SP1 systems are still running fine. I realize that
there are many people who will disagree with my practices and logic.
Working on other people's systems is one thing. But, downloading an
update which does not play nice with one of my configurations is
something that I do not want to waste time fixing, even if the fix only
involves an hour of my time. Or, downloading an update and then needing
to do a System Restore to a time prior to the download of that update,
because of another problem, which would mean downloading the update
again, is something I do not want to have to keep track of, or get
involved with, unless absolutely necessary. --

You do realize that ZoneAlarm has had it's own vulnerabilities? You are
essentially putting all your eggs in one basket and relying entirely on a
software firewall to protect you. You are trading off a possible problem
from an update against a likely nastier problem from a vulnerability being
exploited.

FYI I do support for over 600 people and haven't had an issue with a
critical update from Microsoft since the days of Windows NT. We have very
diverse hardware as I work for a research organization with all sorts of
strange equipment. I have never had to do a system restore due to an
update.

What you are doing defies all common security practices (multiple layers
of defense, properly configured and updated systems.)