Included in the 12 security bulletins released by Microsoft last week were more than 60 patches to fix flaws in everything from ASP.NET to Internet Explorer to server message block. To add to the load, Microsoft
also released an update to last October's MS04-035, which deals with an SMTP vulnerability.
"This is the biggest month Microsoft has ever had. I used to be a guy who wrote the security bulletins at Microsoft and we never had a month where we had this many going out," said Eric Schultze, chief security architect at Roseville, Minn.-based Shavlik Technologies LLC.
Schultze said administrators are going to have their hands full downloading, testing and deploying the various patches. "Just the process of downloading 60 patches, that's going to take a couple minutes per patch. The downloading process alone could take you hours. Then testing each one is a really long process. Then determining for each computer you have -- each takes a slightly different combination of patches," he said. "It really is going to come down to people prioritizing to get this done."
Which patch should be deployed first?
Schultze and Shane O'Donnell, vice president of marketing and business development at Minneapolis-based Oculan Corp., disagree on which patches are the highest priority.
"A disproportionate number were critical bugs, and
among the critical bugs there were some of potentially epic proportions," said O'Donnell. "Particularly our main concern is the SMB [server message block] allowing remote code execution in bulletin MS05-011. Obviously, SMB is fundamental to everything that happens with Microsoft. Assuming that customers are not deploying it safely, there are boxes all over the place that are sitting vulnerable and listening actively for the packet that is going to cause them problems."
O'Donnell likened the vulnerability to the "ping of death" that crashed machines with oversized packets in the mid-1990s. "It's not a major worm thing, so that's their argument [for not giving the bulletin higher priority]. It certainly is broad enough to cripple entire corporate networks over night, and certainly anywhere else where people are walking up and plugging in their machines."
"The upside to that patch is that, theoretically, it should have the least amount of potential conflicts with application software because it's at such a low and fundamental part of the system," O'Donnell said.
MS05-009 is a patch for a remotely executable flaw in the Portable Network Graphics (PNG) that impacts Windows Media Player and MSN Messenger. "Apparently, there is exploit code floating around, so it's critical that one get patched," Schultze said. "The other one is MS05-010, fixing a vulnerability in the license-logging service. Everyone's got it and it's usually turned on. And if that's the case, someone could remotely exploit that and own your system. I'm gathering it was a more serious flaw because Microsoft has decided to release an NT4 [Windows NT 4.0] patch."
Microsoft's mainstream support of the NT 4.0 operating system expired at the end of last year, but the company has said that it will release patches for that OS when it deems it necessary. In January, two security bulletins addressed NT4 vulnerabilities.
An update to one of last year's Exchange Server 2003 patches, MS04-035, was released last week in addition to the new fixes. The update patches Exchange Server 2000 systems. "Unfortunately, that patch requires a prerequisite," said Shultze. Administrators should be sure to have the Exchange Server 2000 Service Pack 3 rollup installed before deploying the patch.
"These are probably things that have been under research for a while and this is when they were all ready to be released for the world," said Schultze. "It's good that Microsoft is identifying things and getting them fixed. It's tough that they all come out at the same time. On the other hand, customers don't want Microsoft to hold back. That doesn't benefit anybody. In some ways that's just the way the cookie crumbles on this one."