PDA

View Full Version : MS04-011 Status ?

Jim Matthews
Ok - I held off on installing these patches, and approving them for
installation on my consultant's (remote) laptops because of the problems
noted in this group and elsewhere.

Is there any response or change from MS ?

I know - I can't afford to have a successful attack - but I certainly cannot
have one of these laptops "crash and burn" - so that seems the lesser risk.

Any guidance/news on this is greatly appreciated

JM


Wouter
"Jim Matthews" wrote in
news:%23l6bwpJKEHA.3216@tk2msftngp13.phx.gbl

> Ok - I held off on installing these patches, and approving
> them for installation on my consultant's (remote) laptops
> because of the problems noted in this group and elsewhere.
>
> Is there any response or change from MS ?
>
> I know - I can't afford to have a successful attack - but I
> certainly cannot have one of these laptops "crash and burn"
> - so that seems the lesser risk.
>
> Any guidance/news on this is greatly appreciated
>
> JM

Why don't you try one Laptop?
Are these Laptop's equal?
For me it was easy to remove the patch and revert to the old
situation (see my message 4 lines down)


Bill Sanderson
FWIW, there is a publicly available attack script available for this
vulnerability now. The likelyhood is that such a script may enable a simple
modification to an existing worm to use this vulnerability in the near
future.

"Jim Matthews" wrote in message
news:%23l6bwpJKEHA.3216@tk2msftngp13.phx.gbl...
> Ok - I held off on installing these patches, and approving them for
> installation on my consultant's (remote) laptops because of the problems
> noted in this group and elsewhere.
>
> Is there any response or change from MS ?
>
> I know - I can't afford to have a successful attack - but I certainly
> cannot
> have one of these laptops "crash and burn" - so that seems the lesser
> risk.
>
> Any guidance/news on this is greatly appreciated
>
> JM
>
>


BeamGuy
Should I assume that a good software firewall would protect me when I plug my
laptop into the hotel high speed internet portal tommorrow?


"Bill Sanderson" wrote in message news:%23gkXGWKKEHA.2680@TK2MSFTNGP11.phx.gbl...
> FWIW, there is a publicly available attack script available for this
> vulnerability now. The likelyhood is that such a script may enable a simple
> modification to an existing worm to use this vulnerability in the near
> future.
>
> "Jim Matthews" wrote in message
> news:%23l6bwpJKEHA.3216@tk2msftngp13.phx.gbl...
> > Ok - I held off on installing these patches, and approving them for
> > installation on my consultant's (remote) laptops because of the problems
> > noted in this group and elsewhere.
> >
> > Is there any response or change from MS ?
> >
> > I know - I can't afford to have a successful attack - but I certainly
> > cannot
> > have one of these laptops "crash and burn" - so that seems the lesser
> > risk.
> >
> > Any guidance/news on this is greatly appreciated
> >
> > JM
> >
> >
>
>


Bill Sanderson
This patch has a rather long list of separate vulnerabilities.

When I check the vuln details of at least one--ASN.1, the workarounds
section reads:

None.

If I were running Windows XP SP2's firewall, I'd set it to the locked
setting--no exceptions.

If you can do that to your software firewall, I think I'd feel reasonably
safe--that's the kind of setting which is appropriate on a shared ethernet
in a public place, anyway.


"BeamGuy" wrote in message
news:%23FrdzZKKEHA.2688@TK2MSFTNGP10.phx.gbl...
> Should I assume that a good software firewall would protect me when I plug
> my
> laptop into the hotel high speed internet portal tommorrow?
>
>
> "Bill Sanderson" wrote in message
> news:%23gkXGWKKEHA.2680@TK2MSFTNGP11.phx.gbl...
>> FWIW, there is a publicly available attack script available for this
>> vulnerability now. The likelyhood is that such a script may enable a
>> simple
>> modification to an existing worm to use this vulnerability in the near
>> future.
>>
>> "Jim Matthews" wrote in message
>> news:%23l6bwpJKEHA.3216@tk2msftngp13.phx.gbl...
>> > Ok - I held off on installing these patches, and approving them for
>> > installation on my consultant's (remote) laptops because of the
>> > problems
>> > noted in this group and elsewhere.
>> >
>> > Is there any response or change from MS ?
>> >
>> > I know - I can't afford to have a successful attack - but I certainly
>> > cannot
>> > have one of these laptops "crash and burn" - so that seems the lesser
>> > risk.
>> >
>> > Any guidance/news on this is greatly appreciated
>> >
>> > JM
>> >
>> >
>>
>>
>
>


BeamGuy
I'm running windows 2000 pro with the free ZoneAlarm firewall installed.
Should the default zonealarm settings be ok?


"Bill Sanderson" wrote in message news:OUDemhKKEHA.2660@TK2MSFTNGP09.phx.gbl...
> This patch has a rather long list of separate vulnerabilities.
>
> When I check the vuln details of at least one--ASN.1, the workarounds
> section reads:
>
> None.
>
> If I were running Windows XP SP2's firewall, I'd set it to the locked
> setting--no exceptions.
>
> If you can do that to your software firewall, I think I'd feel reasonably
> safe--that's the kind of setting which is appropriate on a shared ethernet
> in a public place, anyway.
>
>
> "BeamGuy" wrote in message
> news:%23FrdzZKKEHA.2688@TK2MSFTNGP10.phx.gbl...
> > Should I assume that a good software firewall would protect me when I plug
> > my
> > laptop into the hotel high speed internet portal tommorrow?
> >
> >
> > "Bill Sanderson" wrote in message
> > news:%23gkXGWKKEHA.2680@TK2MSFTNGP11.phx.gbl...
> >> FWIW, there is a publicly available attack script available for this
> >> vulnerability now. The likelyhood is that such a script may enable a
> >> simple
> >> modification to an existing worm to use this vulnerability in the near
> >> future.
> >>
> >> "Jim Matthews" wrote in message
> >> news:%23l6bwpJKEHA.3216@tk2msftngp13.phx.gbl...
> >> > Ok - I held off on installing these patches, and approving them for
> >> > installation on my consultant's (remote) laptops because of the
> >> > problems
> >> > noted in this group and elsewhere.
> >> >
> >> > Is there any response or change from MS ?
> >> >
> >> > I know - I can't afford to have a successful attack - but I certainly
> >> > cannot
> >> > have one of these laptops "crash and burn" - so that seems the lesser
> >> > risk.
> >> >
> >> > Any guidance/news on this is greatly appreciated
> >> >
> >> > JM
> >> >
> >> >
> >>
> >>
> >
> >
>
>


Jake
I installed MS04-011, MS04-012, MS04-013 and MS04-014 on
250 workstations (MS NT 4.0, Win2K Pro SP4, WinXP, WinXP
SP1) and havent had any issues or complaints from any
users thus far.

Just stating this becuase I didn't know of any issues
with the MS04-011 patch and haven't had any problems.

Jake
>-----Original Message-----
>This patch has a rather long list of separate
vulnerabilities.
>
>When I check the vuln details of at least one--ASN.1,
the workarounds
>section reads:
>
>None.
>
>If I were running Windows XP SP2's firewall, I'd set it
to the locked
>setting--no exceptions.
>
>If you can do that to your software firewall, I think
I'd feel reasonably
>safe--that's the kind of setting which is appropriate on
a shared ethernet
>in a public place, anyway.
>
>
>"BeamGuy" wrote in message
>news:%23FrdzZKKEHA.2688@TK2MSFTNGP10.phx.gbl...
>> Should I assume that a good software firewall would
protect me when I plug
>> my
>> laptop into the hotel high speed internet portal
tommorrow?
>>
>>
>> "Bill Sanderson"
wrote in message
>> news:%23gkXGWKKEHA.2680@TK2MSFTNGP11.phx.gbl...
>>> FWIW, there is a publicly available attack script
available for this
>>> vulnerability now. The likelyhood is that such a
script may enable a
>>> simple
>>> modification to an existing worm to use this
vulnerability in the near
>>> future.
>>>
>>> "Jim Matthews" wrote in message
>>> news:%23l6bwpJKEHA.3216@tk2msftngp13.phx.gbl...
>>> > Ok - I held off on installing these patches, and
approving them for
>>> > installation on my consultant's (remote) laptops
because of the
>>> > problems
>>> > noted in this group and elsewhere.
>>> >
>>> > Is there any response or change from MS ?
>>> >
>>> > I know - I can't afford to have a successful
attack - but I certainly
>>> > cannot
>>> > have one of these laptops "crash and burn" - so
that seems the lesser
>>> > risk.
>>> >
>>> > Any guidance/news on this is greatly appreciated
>>> >
>>> > JM
>>> >
>>> >
>>>
>>>
>>
>>
>
>
>.
>
Scott Harding - MS MVP
These have been running on my systems since the patch came out. no problems
so far...

--
Scott Harding
MCSE, MCSA, A+, Network+
Microsoft MVP - Windows NT Server

"Jake" wrote in message
news:308d01c428b0$8ce04680$a301280a@phx.gbl...
> I installed MS04-011, MS04-012, MS04-013 and MS04-014 on
> 250 workstations (MS NT 4.0, Win2K Pro SP4, WinXP, WinXP
> SP1) and havent had any issues or complaints from any
> users thus far.
>
> Just stating this becuase I didn't know of any issues
> with the MS04-011 patch and haven't had any problems.
>
> Jake
> >-----Original Message-----
> >This patch has a rather long list of separate
> vulnerabilities.
> >
> >When I check the vuln details of at least one--ASN.1,
> the workarounds
> >section reads:
> >
> >None.
> >
> >If I were running Windows XP SP2's firewall, I'd set it
> to the locked
> >setting--no exceptions.
> >
> >If you can do that to your software firewall, I think
> I'd feel reasonably
> >safe--that's the kind of setting which is appropriate on
> a shared ethernet
> >in a public place, anyway.
> >
> >
> >"BeamGuy" wrote in message
> >news:%23FrdzZKKEHA.2688@TK2MSFTNGP10.phx.gbl...
> >> Should I assume that a good software firewall would
> protect me when I plug
> >> my
> >> laptop into the hotel high speed internet portal
> tommorrow?
> >>
> >>
> >> "Bill Sanderson"
> wrote in message
> >> news:%23gkXGWKKEHA.2680@TK2MSFTNGP11.phx.gbl...
> >>> FWIW, there is a publicly available attack script
> available for this
> >>> vulnerability now. The likelyhood is that such a
> script may enable a
> >>> simple
> >>> modification to an existing worm to use this
> vulnerability in the near
> >>> future.
> >>>
> >>> "Jim Matthews" wrote in message
> >>> news:%23l6bwpJKEHA.3216@tk2msftngp13.phx.gbl...
> >>> > Ok - I held off on installing these patches, and
> approving them for
> >>> > installation on my consultant's (remote) laptops
> because of the
> >>> > problems
> >>> > noted in this group and elsewhere.
> >>> >
> >>> > Is there any response or change from MS ?
> >>> >
> >>> > I know - I can't afford to have a successful
> attack - but I certainly
> >>> > cannot
> >>> > have one of these laptops "crash and burn" - so
> that seems the lesser
> >>> > risk.
> >>> >
> >>> > Any guidance/news on this is greatly appreciated
> >>> >
> >>> > JM
> >>> >
> >>> >
> >>>
> >>>
> >>
> >>
> >
> >
> >.
> >


Jim Matthews
Thanks for your reply

My issue was whether anyone knows of any patch/fix being forthcoming from
MS.

I have tried it on my own laptop, and two of my "charges" applied the
patches before I could tell them not to - no problems so far.

The issue is - most of my users are remote - if they lose their laptops they
are "dead in the water" until they send it or bring it to me and I fix it or
re-image it - a distinct possibility from what I read

The laptops are not all identical - they start with a standard image
including SP4 and all patches to that point, and then whatever the
consultant needs he/she installs.


"Wouter" wrote in message
news:ehAMkTKKEHA.2452@TK2MSFTNGP09.phx.gbl...
> "Jim Matthews" wrote in
> news:%23l6bwpJKEHA.3216@tk2msftngp13.phx.gbl
>
> > Ok - I held off on installing these patches, and approving
> > them for installation on my consultant's (remote) laptops
> > because of the problems noted in this group and elsewhere.
> >
> > Is there any response or change from MS ?
> >
> > I know - I can't afford to have a successful attack - but I
> > certainly cannot have one of these laptops "crash and burn"
> > - so that seems the lesser risk.
> >
> > Any guidance/news on this is greatly appreciated
> >
> > JM
>
> Why don't you try one Laptop?
> Are these Laptop's equal?
> For me it was easy to remove the patch and revert to the old
> situation (see my message 4 lines down)
>
>


=?Utf-8?B?RGFsZQ==?=
The problem seems to only effect about 1 out of 1000 machines, but when that one patch fails, it's UGLY. And so far, MS has said nothing about what they even suspect the problem might be

Come on, Microsoft. You keep saying we should apply the patch, and there's probably an exploit coming, but we can't. Fix it already!
Jake
So what are the symptoms that people are experiencing?
The only problem anyone has stated is "Nothing is
mentioned about the problems people are having
(SLOOOWWWNESSSS)."




>-----Original Message-----
>The problem seems to only effect about 1 out of 1000
machines, but when that one patch fails, it's UGLY. And
so far, MS has said nothing about what they even suspect
the problem might be.
>
>Come on, Microsoft. You keep saying we should apply the
patch, and there's probably an exploit coming, but we
can't. Fix it already!
>.
>
=?Utf-8?B?R29yZG9u?=
We've pushed the patches out to 800+ systems. After running a Nessus scan on the updated systems, nearly half are reported as missing ms04-011 and MS04-007. This is a mixed batch of 2000 and XP. I haven't scanned all the 2003 servers yet but those that have been scanned appear to be patched. We don't have a way to push to the NT boxes in place, just trying to catch those by hands on.
Bill Sanderson
I only see ZoneAlarm occasionally on a customer machine. I would lock it
down as much as possible--which may well not be the defaults.

The ASN.1 vulnerability may not be representative, but there were enough
others that I didn't want to dig through the whole list.


"BeamGuy" wrote in message
news:%2339KT3KKEHA.1144@TK2MSFTNGP12.phx.gbl...
> I'm running windows 2000 pro with the free ZoneAlarm firewall installed.
> Should the default zonealarm settings be ok?
>
>
> "Bill Sanderson" wrote in message
> news:OUDemhKKEHA.2660@TK2MSFTNGP09.phx.gbl...
>> This patch has a rather long list of separate vulnerabilities.
>>
>> When I check the vuln details of at least one--ASN.1, the workarounds
>> section reads:
>>
>> None.
>>
>> If I were running Windows XP SP2's firewall, I'd set it to the locked
>> setting--no exceptions.
>>
>> If you can do that to your software firewall, I think I'd feel reasonably
>> safe--that's the kind of setting which is appropriate on a shared
>> ethernet
>> in a public place, anyway.
>>
>>
>> "BeamGuy" wrote in message
>> news:%23FrdzZKKEHA.2688@TK2MSFTNGP10.phx.gbl...
>> > Should I assume that a good software firewall would protect me when I
>> > plug
>> > my
>> > laptop into the hotel high speed internet portal tommorrow?
>> >
>> >
>> > "Bill Sanderson" wrote in message
>> > news:%23gkXGWKKEHA.2680@TK2MSFTNGP11.phx.gbl...
>> >> FWIW, there is a publicly available attack script available for this
>> >> vulnerability now. The likelyhood is that such a script may enable a
>> >> simple
>> >> modification to an existing worm to use this vulnerability in the near
>> >> future.
>> >>
>> >> "Jim Matthews" wrote in message
>> >> news:%23l6bwpJKEHA.3216@tk2msftngp13.phx.gbl...
>> >> > Ok - I held off on installing these patches, and approving them for
>> >> > installation on my consultant's (remote) laptops because of the
>> >> > problems
>> >> > noted in this group and elsewhere.
>> >> >
>> >> > Is there any response or change from MS ?
>> >> >
>> >> > I know - I can't afford to have a successful attack - but I
>> >> > certainly
>> >> > cannot
>> >> > have one of these laptops "crash and burn" - so that seems the
>> >> > lesser
>> >> > risk.
>> >> >
>> >> > Any guidance/news on this is greatly appreciated
>> >> >
>> >> > JM
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>


Enkidu

This is a bit off topic, but what do you do to ensure that their data
is safe? I can think of various ways of doing it: removable backup
drives, USB Flash memory devices, CD-writers. But none of them are
really satisfactory.

Cheers,

Cliff

On Fri, 23 Apr 2004 07:28:34 -0500, "Jim Matthews"
wrote:

>Thanks for your reply
>
>My issue was whether anyone knows of any patch/fix being forthcoming from
>MS.
>
>I have tried it on my own laptop, and two of my "charges" applied the
>patches before I could tell them not to - no problems so far.
>
>The issue is - most of my users are remote - if they lose their laptops they
>are "dead in the water" until they send it or bring it to me and I fix it or
>re-image it - a distinct possibility from what I read
>
>The laptops are not all identical - they start with a standard image
>including SP4 and all patches to that point, and then whatever the
>consultant needs he/she installs.
>
>
>"Wouter" wrote in message
>news:ehAMkTKKEHA.2452@TK2MSFTNGP09.phx.gbl...
>> "Jim Matthews" wrote in
>> news:%23l6bwpJKEHA.3216@tk2msftngp13.phx.gbl
>>
>> > Ok - I held off on installing these patches, and approving
>> > them for installation on my consultant's (remote) laptops
>> > because of the problems noted in this group and elsewhere.
>> >
>> > Is there any response or change from MS ?
>> >
>> > I know - I can't afford to have a successful attack - but I
>> > certainly cannot have one of these laptops "crash and burn"
>> > - so that seems the lesser risk.
>> >
>> > Any guidance/news on this is greatly appreciated
>> >
>> > JM
>>
>> Why don't you try one Laptop?
>> Are these Laptop's equal?
>> For me it was easy to remove the patch and revert to the old
>> situation (see my message 4 lines down)
>>
>>
>

Bill Sanderson
You know folks, Many messages in this thread are predicated on the thought
that it is more risky to apply the patch than it is to leave it off.

I really doubt that.

Why not apply the patch to some representative, but low value (in terms of
data loss or productivity loss) machines, and get on the horn to Microsoft
PSS at the slightest sign of an issue. You might even, if the risks have
high value, consider a preemptive call to Microsoft PSS to ask whether there
are specific issues with this patch, and whether those issues have
boundaries that can be defined, so you know which machines might be at risk.

If you apply the patch and have a problem, the call to PSS is free.
1-866-pcsafety, or any of the other PSS support numbers worldwide.

I don't know what their stance would be about a call before applying the
patch--they might well charge--but consider the cost/benefit.


"Enkidu" wrote in message
news:skej8019nalcucutpihar8qucng5pnlasn@4ax.com...
>
> This is a bit off topic, but what do you do to ensure that their data
> is safe? I can think of various ways of doing it: removable backup
> drives, USB Flash memory devices, CD-writers. But none of them are
> really satisfactory.
>
> Cheers,
>
> Cliff
>
> On Fri, 23 Apr 2004 07:28:34 -0500, "Jim Matthews"
> wrote:
>
>>Thanks for your reply
>>
>>My issue was whether anyone knows of any patch/fix being forthcoming from
>>MS.
>>
>>I have tried it on my own laptop, and two of my "charges" applied the
>>patches before I could tell them not to - no problems so far.
>>
>>The issue is - most of my users are remote - if they lose their laptops
>>they
>>are "dead in the water" until they send it or bring it to me and I fix it
>>or
>>re-image it - a distinct possibility from what I read
>>
>>The laptops are not all identical - they start with a standard image
>>including SP4 and all patches to that point, and then whatever the
>>consultant needs he/she installs.
>>
>>
>>"Wouter" wrote in message
>>news:ehAMkTKKEHA.2452@TK2MSFTNGP09.phx.gbl...
>>> "Jim Matthews" wrote in
>>> news:%23l6bwpJKEHA.3216@tk2msftngp13.phx.gbl
>>>
>>> > Ok - I held off on installing these patches, and approving
>>> > them for installation on my consultant's (remote) laptops
>>> > because of the problems noted in this group and elsewhere.
>>> >
>>> > Is there any response or change from MS ?
>>> >
>>> > I know - I can't afford to have a successful attack - but I
>>> > certainly cannot have one of these laptops "crash and burn"
>>> > - so that seems the lesser risk.
>>> >
>>> > Any guidance/news on this is greatly appreciated
>>> >
>>> > JM
>>>
>>> Why don't you try one Laptop?
>>> Are these Laptop's equal?
>>> For me it was easy to remove the patch and revert to the old
>>> situation (see my message 4 lines down)
>>>
>>>
>>
>


serverguy
I haven't seen any problems at my company with the patch, but at home on one
of my 2000 SP4 boxes, I discovered the issue first hand. Basically, after
the reboot the system came up dog slow -turns out to be the system process
using 99-100% CPU. Literally taking an hour to boot up and load the few
things I have in the systray. Click on Start and wait 5 minutes for it to
appear, etc. BTW, same thing in safe mode. I got around the issue a little
bit by giving Explorer.exe higher priority in Task Mgr. I then was able to
get into Add/Remove programs and remove the patch. Came back up fine, no
problem.

"Jake" wrote in message
news:348801c4294a$25397de0$a601280a@phx.gbl...
> So what are the symptoms that people are experiencing?
> The only problem anyone has stated is "Nothing is
> mentioned about the problems people are having
> (SLOOOWWWNESSSS)."
>
>
>
>
> >-----Original Message-----
> >The problem seems to only effect about 1 out of 1000
> machines, but when that one patch fails, it's UGLY. And
> so far, MS has said nothing about what they even suspect
> the problem might be.
> >
> >Come on, Microsoft. You keep saying we should apply the
> patch, and there's probably an exploit coming, but we
> can't. Fix it already!
> >.
> >


Bill Sanderson
So--did you call PSS?

What did they say?

Do it--they need to hear the feedback, and maybe there's a fix or
workaround.

"serverguy" wrote in message
news:%23COpK04KEHA.556@tk2msftngp13.phx.gbl...
>I haven't seen any problems at my company with the patch, but at home on
>one
> of my 2000 SP4 boxes, I discovered the issue first hand. Basically, after
> the reboot the system came up dog slow -turns out to be the system process
> using 99-100% CPU. Literally taking an hour to boot up and load the few
> things I have in the systray. Click on Start and wait 5 minutes for it to
> appear, etc. BTW, same thing in safe mode. I got around the issue a
> little
> bit by giving Explorer.exe higher priority in Task Mgr. I then was able
> to
> get into Add/Remove programs and remove the patch. Came back up fine, no
> problem.
>
> "Jake" wrote in message
> news:348801c4294a$25397de0$a601280a@phx.gbl...
>> So what are the symptoms that people are experiencing?
>> The only problem anyone has stated is "Nothing is
>> mentioned about the problems people are having
>> (SLOOOWWWNESSSS)."
>>
>>
>>
>>
>> >-----Original Message-----
>> >The problem seems to only effect about 1 out of 1000
>> machines, but when that one patch fails, it's UGLY. And
>> so far, MS has said nothing about what they even suspect
>> the problem might be.
>> >
>> >Come on, Microsoft. You keep saying we should apply the
>> patch, and there's probably an exploit coming, but we
>> can't. Fix it already!
>> >.
>> >
>
>


Peter van der Woude
No fix yet, only workarounds:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841382

Peter

> Do it--they need to hear the feedback, and maybe there's a fix or
> workaround.
>