MS Knowledge Base articles can be misleading
From: George Boswell (GBoswell_at_KREBS.COM)
Date: 06/04/04
- Previous message: Russ: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 4 Jun 2004 08:49:49 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Hi Russ.
Several comments on your original Subject mentioned the necessity to be smarter about patching, i.e. Ivan Arce said "
From: Windows NTBugtraq Mailing List [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Ivan Arce
Sent: Thursday, June 03, 2004 3:39 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins
.....
Scan & Patch consumes resources, usually you need to prioritize what to patch, when and in which order, how is this done? by an "expert system" aka a human being ? Does the expert system take into account actual threats or just the alleged presence of a vulnerability in a system. Is it really there? how can you tell? is it really exploitable? is there an actual exploit for it? is it publicly available? what are the chances of an exploit coming into existence? within what timeframe? ...".
The subject of my comment concerns the issue of misleading Microsoft Knowledge Base articles. Specifically, 841382, which seemed to warned about dire consequences for certain computers after installing the Sasser patch (MS04-011, 835732). Based on this KB article, I made the decision to defer installing the patch on my mission critical Exchange 2K3 server because the server loads driver dlttape.sys.
But, I tested the patch using a similar system in the test lab. The test server took the patch and showed none of the behavior identified in the KB article. Based on this, I contacted Microsoft Product Support through unofficial channels, hoping to clarify the article.
My contact at Microsoft explained the rest of the story regarding KB articles. In most cases, Microsoft leaves out important information. This particular article fails to fully define the known conditions that cause the SYMPTOMS. In point of fact, only systems that have previously installed certain undisclosed custom patches actually are at risk. A computer with a "clean" install of the operating system will not have the SYMPTOMS defined in the article.
What does this all mean? As the human "Expert System" responsible for computer security at Krebs, I needlessly delayed installation of a critical security update. I attribute this delay and additional risk to Krebs, to Microsoft's policy of not fully disclosing the conditions that cause their software to fail. It appears that Microsoft expects KB articles to be used as a reactive solution after a problem occurs, rather than a proactive solution to preventing problems.
I would appreciate your posting my comments. I am curious if this is well known within the community.
George Boswell
MCSE, A+, BSEE
Krebs Engineers
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
-----
- Previous message: Russ: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
