Re: My MS04-028 FAQ

From: Walla Walla Wa (
Date: 09/15/04

Date: Wed, 15 Sep 2004 11:59:34 -0500

"Robb" <> wrote in message
> The instructional text in this latest MS04-028 Security Bulletin seems
> totally ridiculous for anyone trying to effect patch management on more
> than 3 PC's. Their FAQ is just blowing me away. I'm not sure
> whether to laugh or to cry. Here's my FAQ. Let's see them answer
> Feel free to play along and either answer or add to the list. It
> won't likely accomplish much, but it will be more fun (and probably
> more productive) than sitting in a meeting with a bunch of other
> confused IT's trying to figure out "how to deploy this one."
> 1. Are you *%^ing kidding me! OK, I just had to get that out. Moving
> on...
> 2. What is this "vulnerable component"?
> "Windows XP, Window XP Service Pack 1, and Windows Server 2003 are
> the only operating systems that contain the *vulnerable component* by
> default. By default, Windows 98, Windows 98 SE, Windows Me, Windows NT
> 4.0, and Windows 2000 are not. However, the *vulnerable component* will
> be installed by any of the programs listed in the affected software
> section of this bulletin on these operating systems and you should
> install the appropriate security update for those programs."
> 3. Is it "GDI+"? (Then say so!)
> 4. If it is GDI+ and Windows is such a shared resource OS, why can't
> the GDI+ component be patched at the OS level without requiring a patch
> for each individual app?
> 5. "Typically, when these programs are installed on Windows XP,
> Windows XP Service Pack 1, or Windows Server 2003 they only use the
> version that is provided by the operating system, even if they install
> a copy of the vulnerable component." Oh, really? (Trying to find a
> nice way of asking #1 again.)
> 6. Can the "vulnerable component" be removed/uninstalled?
> 7. Would removing it disable viewing/using JPEG files and/or disable
> some other desired functionality?
> 8. Would removing the .Net Framework help the situation?
> 9. Does this prove my original fears that installing the .Net Framework
> is merely an act of inviting *yet another MS security nightmare*?

> 10. If the recent .Net Framework 1.0 & 1.1 SP's contained such
> critical patches as this one, why didn't MS issue a Security Bulletin
> for them?
> 11. Why DOESN'T the "GDI+ Detection Tool" do all the things that
> MS tells us it doesn't do? (Basically: why doesn't it detect ALL
> affected sw AND tell us whether that sw is patched?)
> 12. If the existing GDI+ detector says I'm clean, and then I install
> something vulnerable, am I "SOL"? Will the detector say, "I've
> already run," and ignore my new app?
> 13. Can MS provide us with a detector that works?
> 14. Will someone else make one that works?
> 15. If so, can we buy *their* OS and/or sw?
> 16. Does this vulnerability affect only MS sw?
> 17. Are any other sw companies saying, going to say, or have they
> already said anything about this vulnerability in regards to their sw?
> 18. If so, is it only because they're using MS SDK's to write their
> sw?
> 19. Is it time to jump the MS ship?
I'd get familiar with some of the other things out there.

> 20. How many more MS apps are going to get their own patches for this
> same vulnerability a month or two down the road?
A bunch.

> 21. How many vulnerable apps won't get patches because MS doesn't
> "support" them anymore? (implies they "supported" these apps
> previously)
> 22. Should I simply use the GDI Detection Tool to find the vulnerable
> apps and just remove those apps rather than wait for a follow-up patch
> that "fixes" the same vulnerability and/or a totally new and
> scarier one?
> 23. Which Linux distro should I start with if I'm a newbie to it, but
> have been in IT for 15+ years? Red Hat or Mandrake

> 24. How do I know what hardware to put this Linux distro with if I'm
> building a new system? Get a Knoppix bottable iso. If it runs, your
machine will run Linux.

> 25. How do I build a completely MS-free, Linux-based system that even
> my technophobe wife (who may freak if it doesn't look exactly like
> our old MS system) can use?
Currently difficult.

> 26. Is Linux any better, since I'll have to depend on several distros
> and/or word of mouth to get bug/security fixes for it, as opposed to
> one company like MS?
Red Hat and Suse to name two have an update feature built in ala Winodws

> 27. Last but far from least, the associated WindowsUpdate entry for
> MS04-028 doesn't update anything. So, why is it listed as a Critical
> Update?

Relevant Pages

  • Re: Virus or from Microsoft?
    ... > to alert you of this Security Bulletin. ... > and a patch regarding a vulnerability in the ... > likelihood of the exploitation of this vulnerability. ...
  • Recieved email today
    ... to alert you of this Security Bulletin. ... and a patch regarding a vulnerability in the ... likelihood of the exploitation of this vulnerability. ...
  • Is this email the real thing?
    ... Microsoft customers to alert you of this Security ... critical security bulletin and a patch ... likelihood of the exploitation of this vulnerability. ...
  • Is this a hoax e-mail --I assme it is....
    ... to alert you of this Security Bulletin. ... and a patch regarding a vulnerability in the ... likelihood of the exploitation of this vulnerability. ...
  • Re: Download.ject - commentary - LONG
    ... > patch recently released by Microsoft. ... > vulnerability in question, but instead is just a partial workaround. ... > Granted these are known security best practices related to Internet ... > a new default browser to users and hope that it will be safe enough. ...