Windows patch backfires on the security-minded

Security-conscious Windows users who tweaked the operating system to protect their PCs better are getting hit hardest by a flawed Microsoft patch, experts said Monday.

Microsoft has acknowledged that a patch released last week can cause trouble for some users. It could lock them out of their PC, prevent the Windows Firewall from starting, block certain applications from running or installing, and empty the network connections folder, among other things, the software maker said in an advisory on Friday.

The trouble occurs when default permission settings on a Windows folder have been changed, according to Microsoft. Those changes aren't common, but have been applied by some people to add extra security to their systems, experts said.

Related story
Windows patch may wreak havoc

"Critical" patch could lock people out of their PCs

"The flaw in the patch affects users who tightened down access lists," said Johannes Ullrich, the chief research officer at the SANS Institute. "These are typically more-advanced, security-conscious users."

The settings are also likely to be used by businesses with strict access requirements, such as those in the financial services or health care industries, said Vijay Adusumilli, a senior product manager at security software vendor St. Bernard Software. "They tighten settings for security purposes," he said.

The patch was released on Tuesday to fix four Windows vulnerabilities. Microsoft tagged the combined vulnerabilities "critical," and experts warned that a worm attack linked to the issue could be imminent. The software maker urged all users to immediately apply the update, delivered in security bulletin MS05-051.

"If users made changes to their security settings and tightened them, this patch is going to break a whole lot of software," Adusumilli said. The update simply didn't take into account all the possible Windows user configurations, he said.

The problem may result in more apprehension among users when it comes to applying Windows patches, he noted. "Microsoft's patch quality reputation just started to improve, but I think this is going to dent that a bit," Adusumilli said.

That is worrying, especially with a narrowing amount of time between the release of a software fix and a malicious code attack that exploits the vulnerability related to it, Ullrich said. The narrowing "patch window" has moved people to apply remedies faster.

"Many companies have come to rely on high patch quality to use accelerated deployment procedures for critical patches. But the problems with MS05-051 will make people think twice next time around," Ullrich said.

The flawed update delivered "two strikes against good security," Ullrich said. "First, you get penalized for running an enhanced security template. Next, you get penalized for patching quickly."

Microsoft had no immediate comment for this story.

[aabcdefghij987654321]

Overblown reporting

This is the second "story" on CNET to be posted about this single problem but the author still has the story completely WRONG. It's not a flaw in the patches MS provided, it's a flaw in the changes made by some people to their system configuration, and it's really just proof that if you don't know what you're changing when you're working with security settings then you're probably making a problem for yourself.

The blame for this problem lies at the feet of those who made (or suggested making) these security changes.

Overblown reporting

Which just shows MS' lack of quality documentation for each feature there OS' have.

[aabcdefghij987654321]

Underblown problem

It still doesn't change the fact that Microsoft has caused so much harm to society, and continues to do so, with the never ending security issues using Microsoft products presents to users of all types.

[Jonathan]

Maybe if MS actually locked down their OS in the first place?

Then maybe users and companys wouldnt have to resort to rolling their own security to the Nth degree. The blame lies at the root and that is Microsoft and that is Windows default security. Even Power User is still a joke at the registry level. A virus and typical adware still has enough room to maneuver to damage the registry or dink around with IE BHO's.
Please take the MS brown nosing over to zdnet or winsupersite. Is that you Paul?

Sorry, I don't buy that ...

I don't think your view on the story explains what happened to me :

<a class="jive-link-external" href="http://news.com.com/5208-1002-0.html?forumID=1&#38;threadID=10575&#38;messageID=77196&#38;start=0" target="_newWindow">http://news.com.com/5208-1002-0.html?forumID=1&#38;threadID=10575&#38;messageID=77196&#38;start=0</a>

[aabcdefghij987654321]

Overblown reporting

This is the second "story" on CNET to be posted about this single problem but the author still has the story completely WRONG. It's not a flaw in the patches MS provided, it's a flaw in the changes made by some people to their system configuration, and it's really just proof that if you don't know what you're changing when you're working with security settings then you're probably making a problem for yourself.

The blame for this problem lies at the feet of those who made (or suggested making) these security changes.

Overblown reporting

Which just shows MS' lack of quality documentation for each feature there OS' have.

[aabcdefghij987654321]

Underblown problem

It still doesn't change the fact that Microsoft has caused so much harm to society, and continues to do so, with the never ending security issues using Microsoft products presents to users of all types.

[Jonathan]

Maybe if MS actually locked down their OS in the first place?

Then maybe users and companys wouldnt have to resort to rolling their own security to the Nth degree. The blame lies at the root and that is Microsoft and that is Windows default security. Even Power User is still a joke at the registry level. A virus and typical adware still has enough room to maneuver to damage the registry or dink around with IE BHO's.
Please take the MS brown nosing over to zdnet or winsupersite. Is that you Paul?

Sorry, I don't buy that ...

I don't think your view on the story explains what happened to me :

<a class="jive-link-external" href="http://news.com.com/5208-1002-0.html?forumID=1&#38;threadID=10575&#38;messageID=77196&#38;start=0" target="_newWindow">http://news.com.com/5208-1002-0.html?forumID=1&#38;threadID=10575&#38;messageID=77196&#38;start=0</a>

[cjohn17]

Why the Loyalty?

Every time a MS problem surfaces we get dozens of folks making
all manner of excuses. What I don't understand is why? What
does MS do right to engender that kind of product line loyalty;
poor quality control, lousy coding, ancient interface, and a sooo
90's attitude toward new media? Really, all that loyalty for a big
ugly box to play games???

If this were a TV with this many problems set you'd be tossing it
off the local Best Buy cliff. Are you all that afraid of changing
platforms - perhaps to a platform that will love you back? A
platform that has been highly rated by well respected industry
professionals. A platform that has transformed the music and
video industry...

I am of course, talking about Linux... naw, I'm kidding. Linux is
MS's ugly conjoined twin.

I talking about Apple, my friends. It'll luv ya back. We'll even
show you the secret handshake!

<a class="jive-link-external" href="http://espellahumanzee.blogspot.com/" target="_newWindow">http://espellahumanzee.blogspot.com/</a>

[Hernys]

Do you really think...

Apples security is any better than MS? Really? You should check your facts. Apple releases more and more serious security fixes than Microsoft and Linux combined. And they try to fool you from knowing it by combining dozens of patches in a single fix.
What does Apple do right to inspire this kind of loyalty? Overpriced products? Proprietary and locked down technology? Product bundling? Form before function?
I could understand that kind of fanaticism from Linux users. It's free after all, and it makes you feel part of the project. But Apple? Please!

[Maelstorm]

Really?

"I talking about Apple, my friends. It'll luv ya back. We'll even show you the secret handshake!"

Sorry, I have no desire to have an Apple, or to know the secret handshake. It seems that the current battle is being fought between MS, Apple, and Linux. Well, there's a fourth power out there, one big enough to end it. I'm talking about BSD...FreeBSD to be specific. The granddaddy of them all.

You want to know about security? In FreeBSD 5.4-RELEASE, there have been 8 security holes found since March 28 2005. That's only *8* security holes in the base system in *7* *MONTHS*!! Come to think of it, Mac OS/X (Darwin) is based on FreeBSD, so I don't know what Apple is doing wrong to require so many updates. Maybe it's that Mach kernel that they are using. One other interesting tidbit...OpenBSD (the most secure OS on the planet) has had only *1* remote hole in the default install in more than *8* *Y-E-A-R-S*!!

Am I a zelot? Maybe, but I do know good code when I see it, and the *BSDs have excellent code. The BSDs are not really suited to the desktop though as it is more akin to the server arena, but many people use it on their desktop anyways. It can run Linux-x86 and SVR4-x86 binaries directly without modification. Need more info? Head over to <a class="jive-link-external" href="http://www.freebsd.org," target="_newWindow">http://www.freebsd.org,</a> <a class="jive-link-external" href="http://www.openbsd.org," target="_newWindow">http://www.openbsd.org,</a> or <a class="jive-link-external" href="http://www.netbsd.org" target="_newWindow">http://www.netbsd.org</a>.

[cjohn17]

Still No Answer

Still no can answer to the question; why the loyalty to MS? It
can't be the ability to mix and match cheap Korean parts that
rarely work together that is the draw?

... and spare me your misconceptions about a platform you
obviously know nothing about. At least be honest about that.
Quality, innovation, and security costs a little more than that
black boat anchor junk you all wrap your lives around.

C'mon, there's a secret handshake in it fer ya...

[J_Satch]

It'll luv ya back?

I should hope so, and, for the extra cost for an underpowered machine, it better cook me breakfast in the morning too!

[aabcdefghij987654321]

Indeed why the loyalty?

Every time a problem is reported with a MS product we get all sorts of Mac fanboys swarming all over the board telling us all sorts of lies and distortions and otherwise making a nuisance of themselves despite the fact that Apple has made many of the worst decisions and the most consistently overpriced hardware in the business.

[Mister C]

What would be really cool!

Here's an idea. We take 5 Microsurfs, 5 Macaholics, 5 Penguinistas, give them all plastic baseball bats, lock them in a room and let them beat the snot out of each other for about an hour. Hook up web-cams and send it out live over the net. People could bet on who would win, who would give up first, all sorts of stuff. It would be just like the Roman games just no so bloody. I know I would pay to watch it. Thoughts?

[cjohn17]

Why the Loyalty?

Every time a MS problem surfaces we get dozens of folks making
all manner of excuses. What I don't understand is why? What
does MS do right to engender that kind of product line loyalty;
poor quality control, lousy coding, ancient interface, and a sooo
90's attitude toward new media? Really, all that loyalty for a big
ugly box to play games???

If this were a TV with this many problems set you'd be tossing it
off the local Best Buy cliff. Are you all that afraid of changing
platforms - perhaps to a platform that will love you back? A
platform that has been highly rated by well respected industry
professionals. A platform that has transformed the music and
video industry...

I am of course, talking about Linux... naw, I'm kidding. Linux is
MS's ugly conjoined twin.

I talking about Apple, my friends. It'll luv ya back. We'll even
show you the secret handshake!

<a class="jive-link-external" href="http://espellahumanzee.blogspot.com/" target="_newWindow">http://espellahumanzee.blogspot.com/</a>

[Hernys]

Do you really think...

Apples security is any better than MS? Really? You should check your facts. Apple releases more and more serious security fixes than Microsoft and Linux combined. And they try to fool you from knowing it by combining dozens of patches in a single fix.
What does Apple do right to inspire this kind of loyalty? Overpriced products? Proprietary and locked down technology? Product bundling? Form before function?
I could understand that kind of fanaticism from Linux users. It's free after all, and it makes you feel part of the project. But Apple? Please!

[Maelstorm]

Really?

"I talking about Apple, my friends. It'll luv ya back. We'll even show you the secret handshake!"

Sorry, I have no desire to have an Apple, or to know the secret handshake. It seems that the current battle is being fought between MS, Apple, and Linux. Well, there's a fourth power out there, one big enough to end it. I'm talking about BSD...FreeBSD to be specific. The granddaddy of them all.

You want to know about security? In FreeBSD 5.4-RELEASE, there have been 8 security holes found since March 28 2005. That's only *8* security holes in the base system in *7* *MONTHS*!! Come to think of it, Mac OS/X (Darwin) is based on FreeBSD, so I don't know what Apple is doing wrong to require so many updates. Maybe it's that Mach kernel that they are using. One other interesting tidbit...OpenBSD (the most secure OS on the planet) has had only *1* remote hole in the default install in more than *8* *Y-E-A-R-S*!!

Am I a zelot? Maybe, but I do know good code when I see it, and the *BSDs have excellent code. The BSDs are not really suited to the desktop though as it is more akin to the server arena, but many people use it on their desktop anyways. It can run Linux-x86 and SVR4-x86 binaries directly without modification. Need more info? Head over to <a class="jive-link-external" href="http://www.freebsd.org," target="_newWindow">http://www.freebsd.org,</a> <a class="jive-link-external" href="http://www.openbsd.org," target="_newWindow">http://www.openbsd.org,</a> or <a class="jive-link-external" href="http://www.netbsd.org" target="_newWindow">http://www.netbsd.org</a>.

[cjohn17]

Still No Answer

Still no can answer to the question; why the loyalty to MS? It
can't be the ability to mix and match cheap Korean parts that
rarely work together that is the draw?

... and spare me your misconceptions about a platform you
obviously know nothing about. At least be honest about that.
Quality, innovation, and security costs a little more than that
black boat anchor junk you all wrap your lives around.

C'mon, there's a secret handshake in it fer ya...

[J_Satch]

It'll luv ya back?

I should hope so, and, for the extra cost for an underpowered machine, it better cook me breakfast in the morning too!

[aabcdefghij987654321]

Indeed why the loyalty?

Every time a problem is reported with a MS product we get all sorts of Mac fanboys swarming all over the board telling us all sorts of lies and distortions and otherwise making a nuisance of themselves despite the fact that Apple has made many of the worst decisions and the most consistently overpriced hardware in the business.

[Mister C]

What would be really cool!

Here's an idea. We take 5 Microsurfs, 5 Macaholics, 5 Penguinistas, give them all plastic baseball bats, lock them in a room and let them beat the snot out of each other for about an hour. Hook up web-cams and send it out live over the net. People could bet on who would win, who would give up first, all sorts of stuff. It would be just like the Roman games just no so bloody. I know I would pay to watch it. Thoughts?

Only....

Only in the world of windows would you call adding security
"tweaking"....

I would say the same about open source

look at openwrt.. its full of holes... and suse and fedora have auto update features to... I wonder where they got that idea?

os vs os... its so old school man, its all the same.. disgruntled programmers publish code.. and underserving companies enhance open source code... sooner or later.. the mac os yellow box idea will come to fruition.. or wait.. thats Ajax.. no, its KDE... yah whatever, I think the concentrated wealth in the tech industry needs to be more fairly disbursted... plenty of people are truely better off spending more time with thier families and figuring out their messed up lives... and their are plenty of youngerlings in need of fair wages and fair opportunity...

the growth model needs growth.. think globally but act locally...

Only....

Only in the world of windows would you call adding security
"tweaking"....

I would say the same about open source

look at openwrt.. its full of holes... and suse and fedora have auto update features to... I wonder where they got that idea?

os vs os... its so old school man, its all the same.. disgruntled programmers publish code.. and underserving companies enhance open source code... sooner or later.. the mac os yellow box idea will come to fruition.. or wait.. thats Ajax.. no, its KDE... yah whatever, I think the concentrated wealth in the tech industry needs to be more fairly disbursted... plenty of people are truely better off spending more time with thier families and figuring out their messed up lives... and their are plenty of youngerlings in need of fair wages and fair opportunity...

the growth model needs growth.. think globally but act locally...

[Buzzfilter]

It's not loyalty, it's marketshare

To me, I am only loyal to Microsoft because I have to be. Did you just crawl out from under a rock? Windows owns the market on desktop computers, by a HUGE percentage. I'm not saying Windows is better than anything coming from Apple or Linux or BSD, but it is the most common. If you were a hacker and wanted to make your mark, would you try to exploit an OS that 85% of people have, or one that maybe 10% of the people have? In my opinion, Windows is hacked and exploited more often because that's what hackers are attacking. Maybe Macs are less secure, maybe they aren't. But a virus writer is not going to spend time trying to exploit them if they are going to make the news exploiting Windows. If you feel comfortable with the car comparison, we can do that. Are Honda's more prone to being stolen because it's easier? Not necessarily. But there's a lot more Hondas on the road than Kias.

[X=0]

Not true

At this point you would get more news coverage hacking a Mac or
writing a virus for one.
A virus for Windows? Whoa, big news. There are only what,
100,000?
A virus for Mac is a bigger news item at this point.

[System Tyrant]

I figure

most hackers aren't going to spend the time trying to attack a whole that already has a fix in a market that only has 10 to 15 percent of the business.

However hackers who are in it for glory would probably want to attack systems that run Linux, Mac OSX, and BSD. The reason is anybody can hack Windows, but according to users and developers of those systems they are much more secure. I would think that if you are hacking for glory you would want to attack a system that supposedly is much harder to hack.

However if your intent is to create zombie computer and what not then you are better off to hack Windows who does have the largest desktop base.

It's my understanding that most hackers aren't particularly glory hounds. They have a purpose for what they do besides name recongnition.

[Buzzfilter]

It's not loyalty, it's marketshare

To me, I am only loyal to Microsoft because I have to be. Did you just crawl out from under a rock? Windows owns the market on desktop computers, by a HUGE percentage. I'm not saying Windows is better than anything coming from Apple or Linux or BSD, but it is the most common. If you were a hacker and wanted to make your mark, would you try to exploit an OS that 85% of people have, or one that maybe 10% of the people have? In my opinion, Windows is hacked and exploited more often because that's what hackers are attacking. Maybe Macs are less secure, maybe they aren't. But a virus writer is not going to spend time trying to exploit them if they are going to make the news exploiting Windows. If you feel comfortable with the car comparison, we can do that. Are Honda's more prone to being stolen because it's easier? Not necessarily. But there's a lot more Hondas on the road than Kias.

[X=0]

Not true

At this point you would get more news coverage hacking a Mac or
writing a virus for one.
A virus for Windows? Whoa, big news. There are only what,
100,000?
A virus for Mac is a bigger news item at this point.

[System Tyrant]

I figure

most hackers aren't going to spend the time trying to attack a whole that already has a fix in a market that only has 10 to 15 percent of the business.

However hackers who are in it for glory would probably want to attack systems that run Linux, Mac OSX, and BSD. The reason is anybody can hack Windows, but according to users and developers of those systems they are much more secure. I would think that if you are hacking for glory you would want to attack a system that supposedly is much harder to hack.

However if your intent is to create zombie computer and what not then you are better off to hack Windows who does have the largest desktop base.

It's my understanding that most hackers aren't particularly glory hounds. They have a purpose for what they do besides name recongnition.

[Buzzfilter]

This is true, but

did you not see the news coverage of the Blaster and Sasser worms? That's all I'm trying to say. If you can write a worm that can effect as many computers as possible, you will likely get someone's attention. It's harder to get attention if you are aiming at a much smaller crowd.

[Buzzfilter]

This is true, but

did you not see the news coverage of the Blaster and Sasser worms? That's all I'm trying to say. If you can write a worm that can effect as many computers as possible, you will likely get someone's attention. It's harder to get attention if you are aiming at a much smaller crowd.

[jv]

A problem that is addressed by "logo'd" software.

I think you will find that using "logo's" software and drivers nearly eliminates this issue.

Running "Driver Verifier" and "Software Compatibility Analyzer" will alos uncover some ugly warts in older software that has been upgraded to work with XP.

None of my managed machines (40+))have seen any issues. I always try to use only "logo'd" software or run the verifiers.

COM has been a problem for some time since many developers learn how to use COM without actually readying and understanding toe rules. This, at times, applies to Microsoft's own developers and techs.

Patches for critical production machines should always be tested first. Before installing you must set a restore point and do a backup of the OS. System State makes this very easy to accomplish.

[jv]

A problem that is addressed by "logo'd" software.

I think you will find that using "logo's" software and drivers nearly eliminates this issue.

Running "Driver Verifier" and "Software Compatibility Analyzer" will alos uncover some ugly warts in older software that has been upgraded to work with XP.

None of my managed machines (40+))have seen any issues. I always try to use only "logo'd" software or run the verifiers.

COM has been a problem for some time since many developers learn how to use COM without actually readying and understanding toe rules. This, at times, applies to Microsoft's own developers and techs.

Patches for critical production machines should always be tested first. Before installing you must set a restore point and do a backup of the OS. System State makes this very easy to accomplish.

[jv]

Use of "tightened security".

If you tighten security beyond the default you must undrstand the changes it makes to the OS and the possible effects of the change.

On a Unix box (Sun) during an install we decided to use the "secured" installation.

Guess what teh outcome was?

We were unable to get Oracle or any other third party software to run. THe "root" account had less than usual access to system utilities without specifically granting these rights.

Does anyone remember the security nightmare with Novell?

[jv]

Use of "tightened security".

If you tighten security beyond the default you must undrstand the changes it makes to the OS and the possible effects of the change.

On a Unix box (Sun) during an install we decided to use the "secured" installation.

Guess what teh outcome was?

We were unable to get Oracle or any other third party software to run. THe "root" account had less than usual access to system utilities without specifically granting these rights.

Does anyone remember the security nightmare with Novell?

More Important

Everyone keeps blabbing on and on about Microsoft vs Apple vs Linux. The evidence and points of view taken on "superior" security are endless due to the neverending sess-pool of fanaticism that topics like this seem to create. Rather than doubling as a recruitment officer, you could be talking about the real issue at hand.

Today, the average computer user is bombarded with promises of anti-virus, anti-spyware, firewalls, and the like. Something is obviously wrong. If security was as it should be, you shouldn't need this extra software. So who's responsibility should it be to keep your pc secure. Your ISP? The operating system creators? Or are 3rd party programs the best way to tackle internet security.

A more interesting approach to this topic is to suggest that the government is lacking. Why shouldn't the government be more proactive against hackers and the like? It is illegal isn't it? You can't just recommend that everyone lock their doors, and have no police on duty when something actually happens.

I think this topic will tend to itself over time. If the next operating systems doen't have a higher base security, the gov'ts will be forced to step in and force ISP's to do something or, less likely, do something themselves. Personally I don't think the random assortment of 3rd party progs are doing much good. The avg computer user is basically hiding behind a glass wall.

More Important

Everyone keeps blabbing on and on about Microsoft vs Apple vs Linux. The evidence and points of view taken on "superior" security are endless due to the neverending sess-pool of fanaticism that topics like this seem to create. Rather than doubling as a recruitment officer, you could be talking about the real issue at hand.

Today, the average computer user is bombarded with promises of anti-virus, anti-spyware, firewalls, and the like. Something is obviously wrong. If security was as it should be, you shouldn't need this extra software. So who's responsibility should it be to keep your pc secure. Your ISP? The operating system creators? Or are 3rd party programs the best way to tackle internet security.

A more interesting approach to this topic is to suggest that the government is lacking. Why shouldn't the government be more proactive against hackers and the like? It is illegal isn't it? You can't just recommend that everyone lock their doors, and have no police on duty when something actually happens.

I think this topic will tend to itself over time. If the next operating systems doen't have a higher base security, the gov'ts will be forced to step in and force ISP's to do something or, less likely, do something themselves. Personally I don't think the random assortment of 3rd party progs are doing much good. The avg computer user is basically hiding behind a glass wall.

[Musmanno]

MP3Concept

there's one.

[Musmanno]

whoops

meant to reply to smoeone asking to name a single MAC OS virus.

[Musmanno]

MP3Concept

there's one.

[Musmanno]

whoops

meant to reply to smoeone asking to name a single MAC OS virus.

[thedreaming]

It's strange...

This flaw causes problems for people that tightened security on their systems on their own, but anyone that just leaves things as is isn't affected. Is microsoft telling us that we are too smart for our own good and that we should join the rest of the idiots of the world that don't know what a defrag program is?

Just a thought...

[thedreaming]

It's strange...

This flaw causes problems for people that tightened security on their systems on their own, but anyone that just leaves things as is isn't affected. Is microsoft telling us that we are too smart for our own good and that we should join the rest of the idiots of the world that don't know what a defrag program is?

Just a thought...

BSOD (blue screen of death) till patch applied

I had just installed last week's round of security patches in a newly minted industrial PC, and I started getting BSOD intermittently. After this latest "fixed" patch was installed, the BSOD stopped. Pretty serious stuff, as we resell PCs as part of our business.

BSOD (blue screen of death) till patch applied

I had just installed last week's round of security patches in a newly minted industrial PC, and I started getting BSOD intermittently. After this latest "fixed" patch was installed, the BSOD stopped. Pretty serious stuff, as we resell PCs as part of our business.

windows patch backfires

...still running with original xp and minimal patches no sp1 no sp2 .....windows update service disabled....plenty a bunk here ....don wan it don need it.....

windows patch backfires

...still running with original xp and minimal patches no sp1 no sp2 .....windows update service disabled....plenty a bunk here ....don wan it don need it.....

[josmor]

Like an IE problem

In my case the problem showed like bloking all kind of scripts, even from some MMC like the SERVICES, and my Email Server. I couldn't access any kind of web page with javascript or activex. I couldn't upgrade windows (activex required), my antivirus, etc. I couldn't modify the security settings in IE.
I couldn't find information on how to solve the problem anywhere on the Internet. Only similar problems for IE 5.5 in Windows XP.
After uninstaling the patch.. all seems to work!