Posted on 10/18/2005 7:30:01 AM PDT by ShadowAce
Security-conscious Windows users who tweaked the operating system to protect their PCs better are getting hit hardest by a flawed Microsoft patch, experts said Monday.
Microsoft has acknowledged that a patch released last week can cause trouble for some users. It could lock them out of their PC, prevent the Windows Firewall from starting, block certain applicationsfrom running or installing, and empty the network connections folder,among other things, the software maker said in an advisory on Friday.
The trouble occurs when default permission settings on a Windows folder have been changed, according to Microsoft. Those changes aren't common, but have been applied by some people to add extra security to their systems, experts said.
"The flaw in the patch affects users who tightened down access lists," said Johannes Ullrich, the chief research officer at the SANS Institute. "These are typically more-advanced, security-conscious users."
The settings are also likely to be used by businesses with strict access requirements, such as those in the financial services or health care industries, said Vijay Adusumilli, a senior product manager at security software vendor St. Bernard Software. "They tighten settings for security purposes," he said.
The patch was released on Tuesday to fix four Windows vulnerabilities. Microsoft tagged the combined vulnerabilities "critical," and experts warned that a worm attack linked to the issue could be imminent. The software maker urged all users to immediately apply the update, delivered in security bulletin MS05-051.
"If users made changes to their security settings and tightened them, this patch is going to break a whole lot of software," Adusumilli said. The update simply didn't take into account all the possible Windows user configurations, he said.
The problem may result in more apprehension among users when it comes to applying Windows patches, he noted. "Microsoft's patch quality reputation just started to improve, but I think this is going to dent that a bit," Adusumilli said.
That is worrying, especially with a narrowing amount of time between the release of a software fix and a malicious code attack that exploits the vulnerability related to it, Ullrich said. The narrowing "patch window" has moved people to apply remedies faster.
"Many companies have come to rely on high patch quality to use accelerated deployment procedures for critical patches. But the problems with MS05-051 will make people think twice next time around," Ullrich said.
The flawed update delivered "two strikes against good security," Ullrich said. "First, you get penalized for running an enhanced security template. Next, you get penalized for patching quickly."
Microsoft had no immediate comment for this story.
BTW--thanks to N3WBI3 for the link.
So it seems the problem is with the download being filtered, and not with the patch itself?
What made the change? Mine is fine.
MAC is the answer. Mine never, but never has had a problem and I have had four MACs (upgrades) in 12 years. All PC owners must have a permanent link to Kim Kommando just to keep their PS up and running and even then Gates and company can and do screw it all up. Flame away!
If you want a Google GMail account, FReepmail me.
Also, please see The Backside of American History
You'll love this 187 page .pdf (1.99 MB)
You NEVER, NEVER, apply any patch to a production system, without first having tested it on your identical system in the test lab!
What? You don't have a test lab? Well, set one up! And be sure that you've got identical hardware in there, since patches can interact differently with different drivers.
It's an ugly situation, and it's only going to get worse.
Mark
The firewall thing has effected me. Lot of other odd things happening too. To complicate matters, the system log is starting to show disk errors. Hard disk problems? MS patch problems? Both? Damn.
'Microsoft had no immediate comment for this story'
You'll probably see fewer hackey-sacks on the M-Soft Campus for a few weeks ;>
This happened on many of our systems. Explorer wouldn't run, using Task manager to try to run a new task was SSSLLLOOOOWWWWWWW...
Nobody's perfect. Apple has had some problems with their updates/upgrades. Remember the erasing hard drives?
Of course, this problem wouldn't have occurred if you didn't need to do massive tweaking to properly secure a Windows box.
Great! Thanks for posting the solution. Since I don't personally run WIndows, I had no idea what the fix was.
We used to do this even for the thousands of clients under our umbrella. We had a pretty strict, locked-down baseline, and we tested all patches before approving them for release. The lab was pretty big, with a reasonable sampling of the hardware and software that was out there.
A few times the testing caught Microsoft opening up ports that we had closed and enabling services that we had disabled for security reasons. That was scary.
Yeah, sure. Every small business has the time and money to set up a test lab for their computer systems. Why, our 20 person shop has an empty office just waiting for a full time IT guy to manage our Windows updates for us.
some stuff is *SO* mission critical that it is vorbotten to patch or touch the working system! if it needs protection, the protection comes from outboard appliances like active intrusion detectors or firewalls...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.