Re: Alert: Microsoft Security Bulletin - MS03-010
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: Wed, 7 May 2003 08:33:42 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Lucas Grijander brought to my attention a newsgroup discussion regarding problems with MS03-010 in IIS environments. Seems that some people using COM+ with IIS have been experiencing problems with ASP transactions with COM+ after installing MS03-010. The problems have varied, but the only solution had been to remove MS03-010, after which the ASP transactions worked correctly again.
One poster opened a case with PSS which eventually was resolved. PSS provided the individual with 814119, a fix which provides no information about being related to MS03-010 at all. However, the components provided in MS03-010 were all from October 2002 (for the W2K versions) or November 2002 (for the XP versions). Considering MS03-010 wasn't released until the end of March 2003, its rather surprising the fixed files are so old.
814119 contains files from the end of February 2003. It contains the files which were included in MS03-010, plus many more. 814119 is a "private patch", meaning it is intended only to be supplied by PSS, and then only if the conditions of the problem being observed meet the criteria specified by the KB. Since the KB doesn't mention anything about the ASP issues associated with MS03-010, nobody with ASP problems would even know to ask for it.
There has been no discussion as to whether or not 814119 causes other problems, private patches are not as thoroughly tested as security patches, so buyer beware. That said, if you are, or have, experienced problems with MS03-010 on your IIS servers with ASP applications performing transactions...and have subsequently removed MS03-010...and for some reason cannot block access to TCP135 on the machine (like you're on an internal network at a University with a bunch of ingenious students)...call PSS and ask for 814119.
FYI, 814119 does contain all of the fixes included in MS03-010. It will be included in W2K SP4 and XP SP2.
Blocking access to TCP135 should be the preferred method of addressing this issue for IIS servers (at least.)
IMO, Microsoft should at least add a caveat to the MS03-010 article indicating that reports of the IIS problems have been received (via PSS), and that a fix is available should it be needed (again, via PSS) assuming they don't want to re-release the patch. A re-release would likely cause a lot of people to re-apply the patch even though they don't fall into the conditions required for the patch to fail, so I can understand them not wanting to re-release.
Russ - NTBugtraq Editor
Delivery co-sponsored by IP3 Inc.
SECURITY QUESTIONS? We've got answers...Apply for a scholarship and become
Do not miss your opportunity to discover solutions to what our participants
have identified as their top 5 IT Security Challenges. You will return to
work better prepared to put into place an effective security strategy
utilizing the latest security tools, bookmarks and URL's.