MS04-011 Status ?

[Jim Matthews]

Ok - I held off on installing these patches, and approving them for
installation on my consultant's (remote) laptops because of the problems
noted in this group and elsewhere.

Is there any response or change from MS ?

I know - I can't afford to have a successful attack - but I certainly cannot
have one of these laptops "crash and burn" - so that seems the lesser risk.

Any guidance/news on this is greatly appreciated

JM

 

[Wouter]

Ok - I held off on installing these patches, and approving
them for installation on my consultant's (remote) laptops
because of the problems noted in this group and elsewhere.

Is there any response or change from MS ?

I know - I can't afford to have a successful attack - but I
certainly cannot have one of these laptops "crash and burn"
- so that seems the lesser risk.

Any guidance/news on this is greatly appreciated

JM

Why don't you try one Laptop?
Are these Laptop's equal?
For me it was easy to remove the patch and revert to the old
situation (see my message 4 lines down)

 

[Bill Sanderson]

FWIW, there is a publicly available attack script available for this
vulnerability now. The likelyhood is that such a script may enable a simple
modification to an existing worm to use this vulnerability in the near
future.

 

[BeamGuy]

Should I assume that a good software firewall would protect me when I plug my
laptop into the hotel high speed internet portal tommorrow?

 

[Bill Sanderson]

This patch has a rather long list of separate vulnerabilities.

When I check the vuln details of at least one--ASN.1, the workarounds
section reads:

None.

If I were running Windows XP SP2's firewall, I'd set it to the locked
setting--no exceptions.

If you can do that to your software firewall, I think I'd feel reasonably
safe--that's the kind of setting which is appropriate on a shared ethernet
in a public place, anyway.

 

[BeamGuy]

I'm running windows 2000 pro with the free ZoneAlarm firewall installed.
Should the default zonealarm settings be ok?

 

[Jake]

I installed MS04-011, MS04-012, MS04-013 and MS04-014 on
250 workstations (MS NT 4.0, Win2K Pro SP4, WinXP, WinXP
SP1) and havent had any issues or complaints from any
users thus far.

Just stating this becuase I didn't know of any issues
with the MS04-011 patch and haven't had any problems.

Jake

 

[Scott Harding - MS MVP]

These have been running on my systems since the patch came out. no problems
so far...

 

[Jim Matthews]

Thanks for your reply

My issue was whether anyone knows of any patch/fix being forthcoming from
MS.

I have tried it on my own laptop, and two of my "charges" applied the
patches before I could tell them not to - no problems so far.

The issue is - most of my users are remote - if they lose their laptops they
are "dead in the water" until they send it or bring it to me and I fix it or
re-image it - a distinct possibility from what I read

The laptops are not all identical - they start with a standard image
including SP4 and all patches to that point, and then whatever the
consultant needs he/she installs.

 

[Guest]

The problem seems to only effect about 1 out of 1000 machines, but when that one patch fails, it's UGLY. And so far, MS has said nothing about what they even suspect the problem might be

Come on, Microsoft. You keep saying we should apply the patch, and there's probably an exploit coming, but we can't. Fix it already!

 

[Jake]

So what are the symptoms that people are experiencing?
The only problem anyone has stated is "Nothing is
mentioned about the problems people are having
(SLOOOWWWNESSSS)."

-----Original Message-----
The problem seems to only effect about 1 out of 1000

machines, but when that one patch fails, it's UGLY. And
so far, MS has said nothing about what they even suspect
the problem might be.

Come on, Microsoft. You keep saying we should apply the

patch, and there's probably an exploit coming, but we
can't. Fix it already!

 

[Guest]

We've pushed the patches out to 800+ systems. After running a Nessus scan on the updated systems, nearly half are reported as missing ms04-011 and MS04-007. This is a mixed batch of 2000 and XP. I haven't scanned all the 2003 servers yet but those that have been scanned appear to be patched. We don't have a way to push to the NT boxes in place, just trying to catch those by hands on.

 

[Bill Sanderson]

I only see ZoneAlarm occasionally on a customer machine. I would lock it
down as much as possible--which may well not be the defaults.

The ASN.1 vulnerability may not be representative, but there were enough
others that I didn't want to dig through the whole list.

 

[Enkidu]

This is a bit off topic, but what do you do to ensure that their data
is safe? I can think of various ways of doing it: removable backup
drives, USB Flash memory devices, CD-writers. But none of them are
really satisfactory.

Cheers,

Cliff

 

[Bill Sanderson]

You know folks, Many messages in this thread are predicated on the thought
that it is more risky to apply the patch than it is to leave it off.

I really doubt that.

Why not apply the patch to some representative, but low value (in terms of
data loss or productivity loss) machines, and get on the horn to Microsoft
PSS at the slightest sign of an issue. You might even, if the risks have
high value, consider a preemptive call to Microsoft PSS to ask whether there
are specific issues with this patch, and whether those issues have
boundaries that can be defined, so you know which machines might be at risk.

If you apply the patch and have a problem, the call to PSS is free.
1-866-pcsafety, or any of the other PSS support numbers worldwide.

I don't know what their stance would be about a call before applying the
patch--they might well charge--but consider the cost/benefit.

 

[serverguy]

I haven't seen any problems at my company with the patch, but at home on one
of my 2000 SP4 boxes, I discovered the issue first hand. Basically, after
the reboot the system came up dog slow -turns out to be the system process
using 99-100% CPU. Literally taking an hour to boot up and load the few
things I have in the systray. Click on Start and wait 5 minutes for it to
appear, etc. BTW, same thing in safe mode. I got around the issue a little
bit by giving Explorer.exe higher priority in Task Mgr. I then was able to
get into Add/Remove programs and remove the patch. Came back up fine, no
problem.

 

[Bill Sanderson]

So--did you call PSS?

What did they say?

Do it--they need to hear the feedback, and maybe there's a fix or
workaround.

 

[Peter van der Woude]

No fix yet, only workarounds:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841382

Peter