Can Microsoft deliver perfect patches?

Something wormy this way comes

Our team of Windows experts predicts that a serious worm attack will blaze across the Internet soon. This is due to a security hole that Microsoft announced on Oct. 11.

The remedy is a patch called MS05-051. It’s one of 8 the Redmond company released on its regular Patch Tuesday schedule. All of these patches may be significant to you. But it’s particularly important that Windows XP users upgrade to Service Pack 2 (if you already haven’t) and that users of Windows 2000, XP, and other versions install MS05-051 to protect against the oncoming malware.

This hole is so easy to exploit that those in the know are moving quickly. Third-party security-software updates have already been released by McAfee and Internet Security Systems, and other vendors will soon bring out their own updates, if they haven’t already.

To make matters worse, a hacked .avi media file can also silently infect Windows users who play it, even users of XP SP2 and Windows Server 2003. MS05-050 fixes this.

For this topic, I’ve commissioned a special patch analysis (below) by Ryan Russell, a recognized authority. Ryan is a white-hat hacker who’s authored several books and now helps corporations keep their systems protected.

This worrisome situation has spawned a debate among our contributing editors. On the one hand, Microsoft’s patches sometimes have negative side-effects. On the other hand, waiting weeks to see whether a patch has a bug can expose you to a devastating Internet intrusion.

We decided early this year to publish on a new schedule to solve this dilemma. Our twice-monthly newsletter now comes out a mere two days after every Patch Tuesday, and two weeks after that. Our contributors stay up past midnight on Patch Tuesday researching any reported patch issues. You can then read the newsletter on Thursday and learn how to avoid any problems we find. That should give you the confidence to install the latest patches on Friday or Saturday, before hackers can (so far) code and launch a worm.

This week’s articles by Chris Mosby, Susan Bradley, and Woody Leonhard appear in the paid version of the newsletter. Ryan Russell’s insight into the new threat and Microsoft’s updates is included in the free version this week but will move to the paid version in future issues.

Someday, Microsoft will release software that doesn’t need monthly patches. Until then, we’ll keep our eyes peeled and produce the best information we can to help you. —Brian Livingston, Editor

Can MS deliver perfect patches everytime?

By Ryan Russell

The last few years, I’ve found myself doing quality-assurance work for a vendor that sells software to large enterprise customers. That means, among other things, that I’m responsible for checking the updates and patches that go out to those customers.

I also find myself somewhat sympathetic to other vendors regarding how long it takes to prepare a good patch release.

I don’t think there’s a one-size-fits-all amount of time before a patch must be released. However, I can see that the 30 to 60 days that some vulnerability researchers call for is often on the low side.

To be sure, there’re some extreme cases that I find appalling. For example, David Litchfield claims Oracle took around two years to release a set of patches, which reportedly failed to actually fix many of the problems. I’ll take David’s word for it, since he found those issues in the first place. Against that standard, Microsoft doesn’t look too bad.

In fact, Microsoft has a very good reason to try to get its patches perfect the first time, every time. Two reasons, actually.

First, most of the advisories from security researchers are now released on Patch Tuesday. It used to be that Microsoft’s patch releases were irregularly scheduled, so responsible researchers wouldn’t know exactly when to put out their advisories. This would usually leave at least a few hours after a Microsoft announcement before a researcher’s advisory (sometimes with exploit details) was publicly posted. Now the details come out almost simultaneously with the patch.

Second, the patched binary files themselves are often the most useful roadmaps showing exactly where vulnerabilities lie.

Today’s tools easily decode patches

If a researcher can discover the exact vulnerability from the binary patch itself, the cat is out of the bag the moment the patch is released. This means Microsoft really only has one shot to get the patch right before the clock starts ticking. If the Redmond company makes an error that prevents people from immediately deploying the patch, the exploit authors get a head start.

It turns out that they don’t need much of a lead. The technique of comparing an old binary with the patched one to discover the differences must be as old as patches themselves.

Several years ago, I used such a technique myself when Microsoft released patches for vulnerabilities they’d discovered in-house. I needed to write an IDS (intrusion detection system) rule to catch exploitation attempts. The only place to see the problem was in the patch file itself.

In my case, I was doing it by hand, and it was painfully tedious. Nowadays, there are tools that make this kind of work a snap. These utilities include BinDiff by Halvar Flake and Process Stalker by Pedram Amini.

Halvar even released a Flash movie recently, in which he demonstrates how he found the vulnerability that’s fixed by MS05-025. It takes him 20 minutes.

How often does Microsoft blow it?

I’m one of the moderators of the PatchManagement.org mailing list. As such, I get to see just how often people have trouble with Microsoft patches.

To be completely fair, Microsoft is not at all alone in having problems, and I’d tend to rate them better than most. In the recent past, there have been discussion threads regarding patch woes with Adobe, McAfee, and Cisco. But most of the discussion is about Microsoft patches, probably because that’s the core of the community that’s formed.

In August 2005, there was a widely reported problem. Several of the patches would not install, depending on exactly how and where you downloaded them.

Turns out that some of the uploads to Microsoft’s various distribution points didn’t succeed. The patches, which were IE updates, were essentially corrupt. The digital signatures didn’t verify, so servers didn’t even try to install the corrupt patches, which is a good thing. The bad thing is that some patch-installation mechanisms were temporarily broken. Meanwhile, anyone who wanted to write an exploit could find a good copy of the patch and start their work.

It wasn’t as bad as it might have been. Both the Microsoft Update and Windows Update download locations worked. This meant home users typically could still get the patch fine, and knowledgeable admins still did have a place to could go to find a good copy. But not all of them did.

Only five days ’til the worm turns

That’s the same week Zotob (and its friends) came out. You remember those worms, right? They’re the ones that started crashing computers at large news agencies, including CNN, ABC, and the New York Times. Lo and behold, these worms became big news because of that. It took a scant 5 days after Aug. 9 — which was Patch Tuesday — to the release of Zotob.A on August 14.

The news agencies didn’t start reporting on the worm in a big way until a couple of days after that. That’s because the copycat worms that came out a few days after Zotob had bugs that caused crashes. That’s right — those same news agencies had probably been riddled with Zotob all along but didn’t know it because it was a relatively well-behaved critter. It wasn’t until the variants, which had the nasty habit of crashing things, came along that they noticed, because then the on-air talent couldn’t compute.

I hope no one reading this newsletter has to have badly written malware infect them before they notice a problem. But I digress.

Which patch will spawn the worst worm?

It looks like everyone’s favorite candidate this month is MS05-051. This patch fixes a very similar set of vulnerabilities as MS05-039, the August 2005 bulletin that generated Zotob. One difference this time is that XP and Windows Server 2003 don’t run some of the vulnerable services by default.

This means that when the inevitable worm is released, you can expect a lot of infected Windows 2000 machines. In theory, XP SP0 will have a large share of problems, too. Can you really be using XP these days without at least installing SP2?

A year ago, Kevin Mitnick (coauthor of The Art of Intrusion) and I did a study for USA Today. We connected some unprotected XP (and other) machines to the Internet and watched unpatched XP boxes get owned in as little as 4 minutes.

Granted, you can do hotfixes and such and maybe get by, but it’s difficult to imagine not having XP SP2 be your firm, minimal baseline. Are any readers getting by with less than SP2 on XP? I’d be curious to hear about it. [Editor’s Note: Submit tips using our contact page.]

Please put MS05-051 on your fast track to install. But that’s not the only one. MS05-050 and MS05-052 are also rated “Critical.” Note that MS05-052 affects IE, for those of you who use Microsoft’s browser.

There are many spammers, phishers, spyware authors, and other general scum who are dying to have a working exploit for the critical holes. They badly want you for your identity and your financial information and to run their botnets on your CPU. They’re often willing to pay other black hats cold cash in exchange for their exploits to be quietly installed on your PCs.

The coming days will show us just how easy these holes will be for the bad guys to take advantage of. For now, assume that’s it’s very practical, and don’t wait to prepare yourself.

Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.

We're adding cell phones to the index

Cell phones are becoming essential peripherals. After much research, we’ve decided to add cell-phone rankings to the other products in the Index of Reviews. We’ve found trusted reviewers who rate the latest cellular devices, in categories such as smart phones, camera phones, world phones, multimedia phones, and entry-level phones. It’s hard to find a ding-a-ling these days that’s nothing but a phone. The extras include MP3 playback, e-mail, cameras up to 2 megapixels, streaming video, and more. This issue, we’re devoting the entire Index of Reviews just to cell phones. In future issues, phones will appear in this section whenever new test results come out.

		CELLPHONES Mobile Mag names favorite phones of 2005 Mobile Magazine puts 59 phones through their paces to find the best smart phones, multimedia handsets, and entry-level models. The Sidekick II (photo, left) and PalmOne’s Treo 650 emerged as the highest-rated smart phones. Danger Sidekick II (Smart phones, Mobile Choice, Score: 5.0/5.0) PalmOne Treo 650 (Smart phones, Mobile Choice, 5.0) RIM BlackBerry 7100t (Smart phones, Mobile Choice, 4.5) Motorola V710 (Midrange/multimedia phones, Mobile Choice, 4.5) Motorola Razr V3 (Midrange/multimedia phones, Mobile Choice, 4.0) Nokia 6682 (Midrange/multimedia phones, Mobile Choice, 4.0) Samsung SGH-P207 (Entry-level phones, Mobile Choice, 4.5) Link to all ratings and full review
		CAMERAPHONES Photographers pick 2005’s best camera phones Unable to ignore the progress that camera phones have made, American Photo Magazine includes them in this year’s Editors’ Choice 2005 awards. Of the 13 phones tested, they give special recognition to models from LG (left) and Nokia. LG VX8000 (Best Buy) Nokia N90 (Breakthrough, not yet released) Link to all ratings and full review
		SMARTPHONES Treo gets the nod from Laptop Mag Laptop Magazine puts phone/PDA crossbreeds head-to-head to find the best multitasking device. Echoing Mobile Mag’s ratings (above), PalmOne’s Treo 650 beats six other models for the laptop publication’s top spot. PalmOne Treo 650 (Editors’ Choice, Score: 4.5/5.0) Link to all ratings and full review
		WORLDPHONES Déjà vu, Treo gets CNET’s vote, too The Treo 650 wins the prize again, this time in CNET’s tests of seven world phones. In order for a GSM handset to be considered a world phone, it must support triband (900/1800/1900) or quadband (850/900/1800/1900) frequencies. PalmOne Treo 650 (Score: 8.3/10.0) Link to all ratings and full review
		CELLPHONES 2 Motorola offerings top PC Mag phone list PC Magazine adds two new models from Motorola to its list of top-rated cell phones. Both the i355 and the E815 (photo, left) are praised for offering numerous features at a reasonable price. Motorola E815 (Editors’ Choice, Score: 4.0/4.0) Nextel i355 (Editors’ Choice, 4.0) Motorola V551 (Editors’ Choice, 4.0) Sprint MM-5600 (Editors’ Choice, 4.0) Link to all ratings and full review
		CAMERAPHONES PC Mag selects the 2 best camera phones The editors at PC Magazine put six 1- and 2-megapixel camera phones through a battery of tests. Two phones excelled at doing double-duty — the Nokia 6682 (photo, left) and the Samsung MM-A800 — and each earned an Editors’ Choice award. Nokia 6682 (Editors’ Choice, Score: 4.0/5.0) Sprint PCS Vision MM-A800 by Samsung (Editors’ Choice, 4.0) Link to all ratings and full review
		CELLPHONES 11 phones in Sync, each for a reason Sync Magazine’s editors put their trademark spin on the traditional review process by honoring several different phones for different purposes. Eleven phones are chosen, each of which has at least one key feature that sets it apart. Motorola Black Razr V3 (Best for class acts) Link to all ratings and full review —————— For non-U.S. sources of information on a product reviewed above, enter the model name into a search box at one of the following links: Canada / U.K. / Elsewhere The Index of Reviews summarizes only head-to-head comparative tests by respected industry reviewers, not individual ratings of single products. Vickie Stevens is research director of WindowsSecrets.com.

Even antivirus software can't be 100% secure

By Chris Mosby

This may be a tough thing to hear, but it’s true. Even antivirus software has bugs and vulnerabilities that can be exploited, if someone takes enough time to look for them.

Lately, there seems to be a rash of these vulnerabilities. That’s a risk we all take when we deal with software. We just have to hope we can keep our security suites as safe and secure as possible.

The best that anyone can do is to keep their eyes and ears open for vulnerabilities in the software that they use. Try to patch your software as soon as you hear about a problem. That’s exactly what you’re doing by subscribing to this newsletter, taking that first step in keeping yourself informed.

Antivirus apps don’t scan funny filenames

A SecuBox Labs advisory made me aware of an easily exploitable vulnerability in several different vendors’ antivirus software.

This vulnerability is caused by the programs’ inability to scan files that contain extended ASCII characters and control characters that are lower than 0x20. A hacker can easily rename an infected filename with such a name. This would cause the antivirus programs to ignore the filename completely in any scans that are performed.

Except for two vendors in the list, I’d never even heard of these companies. The names still bear mentioning in case you’re using their products. Here’s the list (with a few additions to the SecuBox list from Donna’s SecurityFlash):

• BitDefender Antivirus
• Trustix Antivirus
• Avast! Antivirus
• Cat Quick Heal Antivirus
• Abacre Antivirus
• VisNetic Antivirus (bypass only with manual scan)
• ClamAV for Windows Antivirus
• Antiy Ghostbusters Professional Edition
• Norman Virus Control (NVC)
• Twister Anti-TrojanVirus
• SRN Micro Systems Solo Antivirus

What to do: I haven’t seen a patch for this problem from any of these vendors, so I’d recommend using other antivirus software.

Multiple vendors trip on booby-trapped archives

A completely different flaw affects even more vendors of antivirus software, including Symantec and McAfee. The full list of vulnerable programs can be found at the SecuBox advisory.

According to SecuBox, this particular vulnerability can be exploited by hiding a virus in a specially crafted archive file with fake file headers. However, the file must be decompressed for the virus to be executed. This might not sound like a big deal, but we all know some people would open the virus, given the right social engineering.

What to do: This vulnerability can’t be 100% verified at this time — which is admitted by the author of the advisory — so exact measures are a little sketchy. I recommend that you don’t open any e-mail attachments from anyone that you’re not expecting. This is always a good practice in today’s climate of e-mail viruses.

Kaspersky Anti-Virus has CAB file problem

It was rem0te, then Secunia and SecuriTeam, that reported a problem Kaspersky Anti-Virus has with CAB archive files. Apparently, this is due to a boundary error problem when processing hacked CAB files. Exploiting this problem could cause a buffer overflow and let hacker code run when an infected CAB file is scanned.

There’s currently no patch for this problem, but Kaspersky Labs has updated its virus signature files to catch this exploit before it does any damage to a system.

You can read more info on this vulnerability in Kaspersky’s news release on the issue.

What to do: Make sure your Kaspersky Anti-Virus signature files are up to date and keep checking the site for updates.

Chris Mosby is a contributor to Configuring Symantec Antivirus Corporate Edition and is the Systems Management Server administrator for a regional bank. In his spare time, he runs the SMS Admin Store.

Office SP2 chokes on Windows DiskCleanup

By Woody Leonhard

Office service packs have a long, tortured history. The little letters at the end of the release numbers — SR-1a, SR-2b — tell a sad tale of botched patches and patches of patches.

Even though I survived the torturous march to Office version 4.3c, and even Word 1.01a before that, I’ve never had as much trouble installing an Office patch as I had with Office 2003 Service Pack 2, which was released on Sept. 27.

Part of the problem originates with Office itself. But most of the people who’ve had trouble installing Office 2003 Service Pack 2 ran afoul of a commonplace feature known as Windows Disk Cleanup. To understand how things got screwed up, and why Microsoft didn’t catch the problem, you need to take a look at the way Windows cleans Windows.

Understanding how the cleanup thingy works

You probably know that Windows has a built-in disk cleanup feature. I talk about it (and ways to speed it up) in my Windows books. You can see it right now: click Start, My Computer, right-click on drive C:, then choose Properties. Windows shows you a pie chart of your hard drive, and tells you how much free space is available, along with other arcana.

If you click the button marked Disk Cleanup, Windows takes a long, long time to scan your hard drive. Eventually, it comes up with a list of files that can be readily deleted from your hard drive: Downloaded Program Files (ActiveX controls, Java applets), Temporary Internet files (cached pictures), Temporary files (anything in a folder called temp), the contents of your Recycle Bin (which you should only delete after you’ve examined the files to make sure there aren’t any babies in there with the bathwater), and the like.

Windows Disk Cleanup bites Office 2003

If you have Office 2003 installed on your computer — and only if you have Office 2003 — there’s an additional entry in the Disk Cleanup list of files that Windows offers to delete. That entry’s called Office Setup Files. Disk Cleanup describes those expendable files thusly: “Installation files used by Office. If these files are removed from your computer, you may be prompted for your original installation media or source during any Reinstall, Repair, or Patch operation. It is recommended that you not remove these files unless you always have ready access to your original installation media.”

When you see that Office 2003’s expendable installation files occupy a hefty 300 MB of hard disk space, you might be tempted to delete them. Hard to justify sucking up that much hard drive space when all of the files are on the Office CD anyway. Unfortunately, if you do give them the heave-ho, you’ll clobber the Office 2003 Service Pack 2 installer. Guess Microsoft forgot to remind you, eh?

Here’s what’s happening: Office 2003 sticks about 300 MB of compressed installation files in a hidden folder called c:MSOCache. The Office people call them Local Installation Source, or LIS, files. There’s a good description of the LIS files and what they do on page 14 of this Office 2003 White Paper (PDF) and this Microsoft FAQ. Windows Disk Cleanup sees the LIS files as expendable, and they would be… if the Office patchers had written their installer correctly. They didn’t.

How to shoot the Office 2003 SP2 installer

When people tried to apply SP2 from the Office Update or Microsoft Update Web sites on a PC that’s had its Office installation files whisked away by Disk Cleanup, the installer simply complained that it couldn’t install the patch. If you download and run the “client” version of Office 2003 Service Pack 2 and those MSOCache files are missing, the SP2 installer goes belly-up with an inscrutable Error 0x51F. Your SP2 update goes haywire simply because you had the temerity to use Windows Disk Cleanup to get rid of expendable Office installation files.

What to do: As we go to press, Microsoft has two suggestions to fix things. First, a process to restore the needed files is described in a document entitled Change the Local Installation Source After the Installation. Alternately, you can install SP2 from the "full file" (104MB) version of the download instead of the "client" (50MB) version. The full file is available for download near the end of Microsoft’s Office 2003 SP2 page.

If you have FrontPage 2002 installed on your PC, as opposed to FrontPage 2003, there’s an additional step you need to avoid trouble. I describe this in a separate Office 2003 SP2/FP2002 page.

Why the big screw-up?

Testing patches is a thankless job. Microsoft developers aren’t stupid or incompetent. They’re simply facing an impossibly complicated environment. They don’t catch everything we want them to. And, let’s face it, there ain’t any money in makin’ patches.

Many Windows patches have undesirable, sometimes fatal, side-effects. Most major Office patches through the years have suffered from similar problems. The patches are tested exhaustively, but not well enough. The one great counter-example: Windows XP Service Pack 2, which was tested rigorously — but still had some problems.

In this particular case, Microsoft simply failed to test on a machine that’d gone through the Windows Disk Cleanup wringer. If any tester had tried to install Office 2003 Service Pack 2 on a PC that had been cleaned with Windows Disk Cleanup, the mistake would’ve stuck out like a squashed stink bug in a flower shop.

Of course the left hand/right hand conundrum works the other way: Windows patchers don’t pay much attention to Office, either. It seems that when Microsoft posted Windows 2000 Service Pack 4 Update Rollup 1 a couple of months ago, nobody tested it to see if Word could save a document to a floppy disk. Kaboom. So now we have a new Windows 2000 Service Pack 4 Update Rollup 1 — or is it Service Pack 4 Update Rollup 1 Service Release 1? Whatever they call it, at least Word users with Windows 2000 can now save files on floppies. Progress.

Until Microsoft starts testing its patches adequately, I refuse to allow Windows Update or Microsoft Update to apply patches to my systems. I strongly recommend you do the same. Automatic Update is only as trustworthy as the patches themselves — and the company that botches them.

[Editor’s Note: The other contributing editors and I recommend that individual Windows users turn Automatic Updates on and then read this newsletter to learn how to cure any problems that may arise. The debate is healthy. Please see Susan Bradley’s comments on fast-tracking patches, below. —Brian L.]

Woody Leonhard‘s latest book is Windows XP Hacks & Mods For Dummies, published by Wiley.

Fasten your seatbelts for the October patches

By Susan Bradley

The yellow shield is in the System Tray reminding me this is Patch Tuesday. And before I began to write this article, I installed all 9. (Yes, there are 8 patches and one malicous software removal tool.)

Woody Leonhard would probably call me foolhardy for turning on Automatic Updates. (See the comments at the end of his column, above.) But these days, it looks like there’s a bumpier ride for those who wait to patch than those who update promptly.

Please patch Charlie Gibson’s PC asap

I hope for sure that the people who handle patch management at CNN, ABC, and places like that are subscribed to Windows Secrets. Our guest writer this issue, Ryan Russell (above), says the new MS05-051 patch (KB 902400) looks like the favorite to win this month’s race between patch administrators and the bad guys.

This new hole is a serious "from remote" threat and the patch should be your top priority. If you remember back two months ago, you’ll recall that the Zotob worm came out very quickly — the first sighting was only five days after Microsoft’s patch release on Aug. 9. The Internet attack affected many large firms, notably several media outlets. I still remember listening to ABC’s Good Morning America anchor Charlie Gibson talking about how his infected workstation kept rebooting.

Microsoft’s MS05-051 bulletin installs some new Registry keys, which are listed in KB 908620. These options allow Windows 2000 admins to add a bit more defense in depth in their systems.

Note that when you install MS05-051, TIP (Transaction Internet Protocol) is disabled. If you need to re-enable it, you can follow the instructions in the KB article.

This bulletin replaces several prior security bulletins. If you historically had any issues with MS security bulletins MS03-010, MS03-026 (Blaster), MS03-039 (Son of Blaster), MS04-012, or MS05-012, keep an eye out. I’ve installed the patch here and am seeing no issues with my applications or network.

IE cume patch may hose Web apps

Our monthly Internet Explorer cumulative patch, MS05-052 (896688), lists the typical caveats about replacing prior hotfixes. This patch also adds additional defense-in-depth features that may affect Web based applications (in particular, anything you’ve custom developed.

It’s wise to test this patch extensively if you have any line-of-business applications that are Web based. KB article 870669 gives details on how to re-enable specific application functionality if you need to.

This bulletin also lists a lengthy set of "Class Identifiers in COM Objects" that really don’t need to be called up by Internet Explorer. The bulletin explains that the patch places a "killbit" to ensure that these objects cannot be invoked via the browser.

Block and defend at your border

The next bulletin that I recommend you take defensive measures on is MS05-050 (904706). This is a case where you need to do some blocking of file types in your antivirus package and at your firewall. Given that many of us are still running with Administrative (full) rights, all it would take would be one hacker to trick my end users into clicking a digital file, such as a .avi, as reported by Internet Security Systems.

Got the Exchange2K Post-SP3 update rollup?

MS security bulletin MS05-048 (907245) had me scratching my head at first. When I was comparing the patches as offered up on Microsoft Update to the bulletin numbers, I couldn’t match this one to the KB numbers in the window.

Because this bulletin affects both Windows and Exchange, there are two sets of KB numbers: 901017 for Windows and 906780 for Exchange. If you need to remove the patch, that might be a bit confusing in your Add/Remove Programs window.

For those needing to deploy this patch to Exchange 2000 boxes, be aware that you’ll need the Post-Service Pack 3 Update Rollup in place. That’s available for download at KB 870540.

What doesn’t auto-update this month

On some workstations with Automatic Updates enabled, there were no prompts for Office 2003 SP2 when the yellow shield indicated there was an Outlook spam-filter update. I ended up just going to Microsoft Update and manually pulling the service pack down. I’m still not sure if the issue is related to a version of Office Web Components, as discussed on the Web, or just a fluke.

Sometimes it pays to be expecting patches and to manually click Microsoft Update to check. For the record, on one XP SP2 machine, this week I’ve installed 8 security patches and one Malicious Software Removal Tool. Last week I installed Office 2003 Service Pack 2 and the new Outlook 2003 junk e-mail filter update (KB 904631). Remember, you only get the new antiphishing features in Outlook 2003 if you install both Office 2003 Service Pack 2 and the junk-mail filter.

How you can fast-track your patches

I still don’t turn on Automatic Updates on my servers, but I do on my workstations. I want them to be fast-tracked with patches and I have savvy end users operating them (hopefully including me, for one).

I went back and reviewed all the patches that caused me grief in my office over the last year. I determined that I wasn’t negatively affected by patch issues to any great degree. In fact, I realized that I would be taking more risk by not quickly patching and waiting to see if others had issues.

My company’s machines are all on Windows XP SP2 and all the servers are Windows 2003 SP1. I knew that I had ample resources with which to recover, good backups, and the means to call Microsoft regarding issues (a free call). I can also call upon Patch Communities for guidance.

I’m not turning on Automatic Updates on quite all of my workstations. But I do want to install patches fairly routinely on most machines so my end users don’t have to worry. That means I turn on Auto Updates for those machines where I know the end users can manage their own patches. It’s less risk for me to deal with possible patch issues than to clean up a big mess after a virus or a worm.

WSUS and SMS misidentify October updates

We’re watching some late breaking issues regarding patch deployment on WSUS. MS05-049 is being reported as “Critical,” but it’s not (it’s rated “Important”). Also, SMS is not properly identifying patches and possibly not deploying them. Microsoft’s Doug Neal "says MBSA 1.2 doesn’t support a number of products — including DirectX (see KB 306460)."

Meanwhile, Microsoft Update and Automatic Updates work just fine here at my office (if a bit sluggish lately). I’ll keep you posted if any new info arises. I welcome feedback on these articles and any issues you may be seeing.

How to set your own patch schedule

Only you can determine whether you want to let Automatic Updates handle patching or if you want to take the time to determine your own patch risks. If you’re reading this, you’ve already invested the time to be part of the solution, not the problem. Thank you. You’re one of the good guys and gals who spend the time to learn more about this complex system called a computer. As always, keep an eye on Brian’s Security Baseline (above). With a little effort — assuming you don’t work for a major media company — most of us will get by just fine.

Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title bestowed by Microsoft on independent experts who do not work for the company. Known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003, she’s a partner in a CPA firm and spends her days cajoling vendors into coding more securely.

Highlander in 30 sec., re-enacted by bunnies

Jennifer Shiman and her animated flop-ears have done it again. Her new capsule motion picture shrinks the entire Highlander movie into just half a minute, complete with sound track (not just an audiotape on fast forward, either).

Previous take-offs have included stopwatch versions of The Exorcist, The Shining, and the War of the Worlds. But start with her rendition of Highlander, which is coarsely hilarious as long as you don’t expect it to make much sense (rather like the actual film). Highlander animation page