Thoughts on Microsoft's Latest Security Bulletin

Microsoft's October 2004 security bulletin was released today. Some of the guys in #snort-gui were shocked that the bulletins ranged from MS04-029 to MS04-038. An astute Slashdot post notes that only one vulnerability, MS04-038, affects Windows XP SP2. The XP SP2 weakness is referred to as the drag-and-drop vulnerability as it allows intruders to install programs through malicious Web pages rendered by Internet Explorer.

This reminds me of a saying that I wish I could attribute to someone: "Q: What's the best security patch for Windows 2000? A: Windows XP." This is more than a joke. I have a difficult time being sympathetic to enterprises that continue to operate Windows NT 4 systems. I am beginning to lose faith in organizations that have no plans to upgrade their servers from Windows 2000 to Windows 2003. Let's remember that Windows NT was released in 1996 and Windows 2000 in the year 2000. An organization relying on an 8 year old Microsoft OS is not showing the proper appreciation for security, given Microsoft's track record.

I tried to imagine a situation where I've seen similarly old operating systems running in the free UNIX world. For comparison, FreeBSD 2.1.5 was released around the same time in 1996 and 4.0 just appeared in mid-2000. While the FreeBSD 4.x tree is just barely still marked STABLE (about to be replaced by the 5.x tree), I know of no one running FreeBSD 2.x or 3.x. For my Linux friends, the helpful Red Hat history site shows Red Hat 4.0 appearing in late 1996 and 7.0 in late 2000. While I know of no one running Red Hat 4.x, some people continue to run 7.0 (and should migrate probably migrate to 9.0, at least).

On the commerical UNIX side (ignoring Red Hat Linux), consider Solaris. This history shows 1996 as the year of Solaris 2.5.1 and 2000 as the year of Solaris 8. I imagine many organizations still run Solaris 2.6 and 7, and haven't given much thought to 8, 9, or the upcoming Solaris 10. The Solaris release page shows 2.5.1 is in the very last stages of support, while newer versions get better treatment.

Running an OS that can be kept current is one of the characteristics of what I call a defensible network in The Tao of Network Security Monitoring. A look at the Product Lifecycle Dates - Windows Product Family shows Windows NT 4 "extended support" will be "retired" on 31 Dec 2004. "Mainstream" support for Windows 2000 ends 30 Jun 2005 with extended support expiring 30 Jun 2010. According to Microsoft's Lifecycle Policy FAQ:

"Mainstream support includes all the support options and programs that customers receive today, such as no-charge incident support, paid incident support, support that is charged on an hourly basis, support for warranty claims, and hotfix support. After mainstream support ends, extended support will be offered for Business and Development software.

Extended support includes all paid support options and security-related hotfix support that is provided at no charge. Hotfix support that is not security-related requires a separate extended hotfix support contract to be purchased within 90 days after mainstream support ends. Microsoft will not accept requests for warranty support, design changes, or new features during the extended support phase."

I find it hard to believe Microsoft will extend security-related hotfixes for Windows 2000 for another five years. We've already seen concerns that security features introduced in XP SP2 will not appear in older versions of IE, despite Microsoft's spin of the issue. I expect to see more security enhancements to mainline Windows releases like XP and its successors, without concern for older versions of Windows, wherever Microsoft can get away with it.

If you're looking for a way to deploy Windows XP with SP2 integrated, check out AutoStreamer. It's a GUI which makes creating a custom .iso of Windows XP with SP2 very easy. I tested it this weekend and deployed Windows XP with SP2 on a new system without any problems. My deployment provided AutoStreamer with a Windows XP CD-ROM, a copy of xpsp2.exe obtained via CD-ROM from Microsoft, and plenty of hard drive space on an existing Windows system. When I was done I burned the new .iso to CD and used it to install Windows XP.