Microsoft Patch Seen as Problematic

Some users are apparently running into problems with a Microsoft Corp.patch issued earlier this week to fix a critical hole in the Windows2000 operating system, according to an alert posted on the SANSInternet Storm Center (ISC) Web site Friday morning.

The patch in question is detailed in Microsoft Security BulletinMS05-051 and is designed to address a total of four separatevulnerabilities — two of which are rated as “critical” by Microsoft.

One of the critical flaws involves a Windows 2000 component called theMicrosoft Distributed Transaction Coordinator (MSDTC) that runs bydefault and is used to manage database, messaging and file systemtransactions. The other critical flaw detailed in the same bulletinexists in the Component Object Model (COM+) service built into Windows2000 to handle resource management tasks. The flaws exist in multipleWindows versions but were rated as critical for Windows 2000 andWindows XP Service Pack 1.

Both flaws were considered particularly dangerous by security expertsbecause they allow attackers to take complete control of vulnerablesystems and require no user interaction to be exploited. They are alsosimilar to the vulnerability in a plug-and-play component of Windows2000 that the creators of the Zotob worm and its variants tookadvantage of in August to create havoc for some large companies.

Johannes Ullrich, chief technology officer at the ISC, said theorganization has so far received over two dozen reports from peoplesaying they had run into a variety of problems when attempting toinstall the patch associated with MS05-051.

The reported problems listed on the ISC site include an inability touse the Search tool in the operating system’s Start Menu, a blankscreen upon log-in to the Windows Update site and disruption ofSymantec Corp.’s LiveUpdate virus-updating tool and the SpySweeperantispyware product from Webroot Inc.

“These are the sort of problems that we typically see when patchesdon’t cooperate well with various third-party software and some of theless used functions of Windows,” Ullrich said. “At this point, theproblems with Symantec LiveUpdate and SpySweeper are the most severe,”he said.

He added that the problems reported so far appear to be “veryuser-dependent,” with no clear indication yet of why some users arereporting problems with certain functions and software while othersaren’t. The size and complexity of this month’s patches — Microsoftreleased nine updates fixing a total of 14 problems this week — couldbe one reason for the problems, Ullrich said (see “Update: Microsoftreports three ’critical’ Windows security flaws”).

In an e-mailed statement, Microsoft said it is aware of reports of”isolated deployment issues with security update MS05-051, and isworking with the limited amount of customers affected to help resolvethe issue.” The company has posted a Knowledge Base article online withmore information about the issue.

A Symantec spokesman said his company’s Quality Assurance team is awareof the reports and is trying to replicate the problems. “They have notbeen able to replicate any of the problems up to this point,” he said.”We have not seen any problems up to now that point to this patch.”

Reports of the patch problems come amid growing concerns of a wormoutbreak targeted at the MSDTC and COM+ vulnerabilities. Fueling thoseconcerns was the development of an exploit earlier this week that takesadvantage of both the flaws (see “Exploit already available for Windowsvulnerability”).

The exploits were developed by Immunity Inc., a Miami-based securityresearch firm. Immunity released the exploit code to members of itspartner program, which includes vendors of intrusion-detection and-prevention products, so they could use the information to update theirtools.

In addition, there has been a significant increase in computer scanningactivity — apparently by hackers looking for targets to attack once anexploit becomes widely available, Ullrich said. “If you run Windows2000, you should be very concerned,” he said.

By Jaikumar Vijayan – Computerworld (US online)