My MS04-028 FAQ

From: Robb (hay_robb_at_yahoo.com)
Date: 09/15/04


Date: 15 Sep 2004 09:19:53 -0700

The instructional text in this latest MS04-028 Security Bulletin seems
totally ridiculous for anyone trying to effect patch management on more
than 3 PC's. Their FAQ is just blowing me away. I'm not sure
whether to laugh or to cry. Here's my FAQ. Let's see them answer
THESE!

Feel free to play along and either answer or add to the list. It
won't likely accomplish much, but it will be more fun (and probably
more productive) than sitting in a meeting with a bunch of other
confused IT's trying to figure out "how to deploy this one."

1. Are you *%^ing kidding me! OK, I just had to get that out. Moving
on...
2. What is this "vulnerable component"?
"Windows XP, Window XP Service Pack 1, and Windows Server 2003 are
the only operating systems that contain the *vulnerable component* by
default. By default, Windows 98, Windows 98 SE, Windows Me, Windows NT
4.0, and Windows 2000 are not. However, the *vulnerable component* will
be installed by any of the programs listed in the affected software
section of this bulletin on these operating systems and you should
install the appropriate security update for those programs."
3. Is it "GDI+"? (Then say so!)
4. If it is GDI+ and Windows is such a shared resource OS, why can't
the GDI+ component be patched at the OS level without requiring a patch
for each individual app?
5. "Typically, when these programs are installed on Windows XP,
Windows XP Service Pack 1, or Windows Server 2003 they only use the
version that is provided by the operating system, even if they install
a copy of the vulnerable component." Oh, really? (Trying to find a
nice way of asking #1 again.)
6. Can the "vulnerable component" be removed/uninstalled?
7. Would removing it disable viewing/using JPEG files and/or disable
some other desired functionality?
8. Would removing the .Net Framework help the situation?
9. Does this prove my original fears that installing the .Net Framework
is merely an act of inviting *yet another MS security nightmare*?
10. If the recent .Net Framework 1.0 & 1.1 SP's contained such
critical patches as this one, why didn't MS issue a Security Bulletin
for them?
11. Why DOESN'T the "GDI+ Detection Tool" do all the things that
MS tells us it doesn't do? (Basically: why doesn't it detect ALL
affected sw AND tell us whether that sw is patched?)
12. If the existing GDI+ detector says I'm clean, and then I install
something vulnerable, am I "SOL"? Will the detector say, "I've
already run," and ignore my new app?
13. Can MS provide us with a detector that works?
14. Will someone else make one that works?
15. If so, can we buy *their* OS and/or sw?
16. Does this vulnerability affect only MS sw?
17. Are any other sw companies saying, going to say, or have they
already said anything about this vulnerability in regards to their sw?
18. If so, is it only because they're using MS SDK's to write their
sw?
19. Is it time to jump the MS ship?
20. How many more MS apps are going to get their own patches for this
same vulnerability a month or two down the road?
21. How many vulnerable apps won't get patches because MS doesn't
"support" them anymore? (implies they "supported" these apps
previously)
22. Should I simply use the GDI Detection Tool to find the vulnerable
apps and just remove those apps rather than wait for a follow-up patch
that "fixes" the same vulnerability and/or a totally new and
scarier one?
23. Which Linux distro should I start with if I'm a newbie to it, but
have been in IT for 15+ years?
24. How do I know what hardware to put this Linux distro with if I'm
building a new system?
25. How do I build a completely MS-free, Linux-based system that even
my technophobe wife (who may freak if it doesn't look exactly like
our old MS system) can use?
26. Is Linux any better, since I'll have to depend on several distros
and/or word of mouth to get bug/security fixes for it, as opposed to
one company like MS?
27. Last but far from least, the associated WindowsUpdate entry for
MS04-028 doesn't update anything. So, why is it listed as a Critical
Update?