Re: My MS04-028 FAQ
From: Walla Walla Wa (p51mustang_at_hotmail.com)
Date: Wed, 15 Sep 2004 11:59:34 -0500
"Robb" <firstname.lastname@example.org> wrote in message
> The instructional text in this latest MS04-028 Security Bulletin seems
> totally ridiculous for anyone trying to effect patch management on more
> than 3 PC's. Their FAQ is just blowing me away. I'm not sure
> whether to laugh or to cry. Here's my FAQ. Let's see them answer
> Feel free to play along and either answer or add to the list. It
> won't likely accomplish much, but it will be more fun (and probably
> more productive) than sitting in a meeting with a bunch of other
> confused IT's trying to figure out "how to deploy this one."
> 1. Are you *%^ing kidding me! OK, I just had to get that out. Moving
> 2. What is this "vulnerable component"?
> "Windows XP, Window XP Service Pack 1, and Windows Server 2003 are
> the only operating systems that contain the *vulnerable component* by
> default. By default, Windows 98, Windows 98 SE, Windows Me, Windows NT
> 4.0, and Windows 2000 are not. However, the *vulnerable component* will
> be installed by any of the programs listed in the affected software
> section of this bulletin on these operating systems and you should
> install the appropriate security update for those programs."
> 3. Is it "GDI+"? (Then say so!)
> 4. If it is GDI+ and Windows is such a shared resource OS, why can't
> the GDI+ component be patched at the OS level without requiring a patch
> for each individual app?
> 5. "Typically, when these programs are installed on Windows XP,
> Windows XP Service Pack 1, or Windows Server 2003 they only use the
> version that is provided by the operating system, even if they install
> a copy of the vulnerable component." Oh, really? (Trying to find a
> nice way of asking #1 again.)
> 6. Can the "vulnerable component" be removed/uninstalled?
> 7. Would removing it disable viewing/using JPEG files and/or disable
> some other desired functionality?
> 8. Would removing the .Net Framework help the situation?
> 9. Does this prove my original fears that installing the .Net Framework
> is merely an act of inviting *yet another MS security nightmare*?
> 10. If the recent .Net Framework 1.0 & 1.1 SP's contained such
> critical patches as this one, why didn't MS issue a Security Bulletin
> for them?
> 11. Why DOESN'T the "GDI+ Detection Tool" do all the things that
> MS tells us it doesn't do? (Basically: why doesn't it detect ALL
> affected sw AND tell us whether that sw is patched?)
> 12. If the existing GDI+ detector says I'm clean, and then I install
> something vulnerable, am I "SOL"? Will the detector say, "I've
> already run," and ignore my new app?
> 13. Can MS provide us with a detector that works?
> 14. Will someone else make one that works?
> 15. If so, can we buy *their* OS and/or sw?
> 16. Does this vulnerability affect only MS sw?
> 17. Are any other sw companies saying, going to say, or have they
> already said anything about this vulnerability in regards to their sw?
> 18. If so, is it only because they're using MS SDK's to write their
> 19. Is it time to jump the MS ship?
I'd get familiar with some of the other things out there.
> 20. How many more MS apps are going to get their own patches for this
> same vulnerability a month or two down the road?
> 21. How many vulnerable apps won't get patches because MS doesn't
> "support" them anymore? (implies they "supported" these apps
> 22. Should I simply use the GDI Detection Tool to find the vulnerable
> apps and just remove those apps rather than wait for a follow-up patch
> that "fixes" the same vulnerability and/or a totally new and
> scarier one?
> 23. Which Linux distro should I start with if I'm a newbie to it, but
> have been in IT for 15+ years? Red Hat or Mandrake
> 24. How do I know what hardware to put this Linux distro with if I'm
> building a new system? Get a Knoppix bottable iso. If it runs, your
machine will run Linux.
> 25. How do I build a completely MS-free, Linux-based system that even
> my technophobe wife (who may freak if it doesn't look exactly like
> our old MS system) can use?
> 26. Is Linux any better, since I'll have to depend on several distros
> and/or word of mouth to get bug/security fixes for it, as opposed to
> one company like MS?
Red Hat and Suse to name two have an update feature built in ala Winodws
> 27. Last but far from least, the associated WindowsUpdate entry for
> MS04-028 doesn't update anything. So, why is it listed as a Critical