"No news is good news," said Jeff Graham, product manager at San Diego-based St. Bernard Software Inc., after downloading the three security bulletins released by Microsoft last Tuesday. "We haven't run into any problems with them."@8307
Microsoft released three security bulletins a week ago to fix security vulnerabilities that could have allowed an attacker to take over computers and install programs, manipulate data or create new accounts with full privileges.
"The most interesting thing about these three maybe, was that they did include on two of the patches, MS05-001 and MS05-002, code updates for NT4 which is beyond the deadline for support for NT4," Graham said. Support for Windows NT Server 4.0 Service Pack 6a and Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ended on Dec. 31.
Graham said the data stamps done on the patches showed that they were created during 2004, so it made sense that Microsoft was releasing them even though the deadline had past. "It's benevolent for Microsoft to continue to support NT4 users," he said. "It was an area where we weren't real sure, as a patching company, what was going to happen."@8306
Graham said he feels that Microsoft was on target in classifying MS05-001 and MS05-002 as "critical" updates because there were "recipes" to create malignant code available to hackers on the Internet.
"The bad boy of the bunch looks like the browser vulnerability [MS05-001], which, coincidentally also seems to be a slightly problematic patch if you apply it in the wrong order," Chris Andrew, vice president of product development at PatchLink Corp., in Scottsdale, Ariz. Andrew's company is recommending that other recent Internet Explorer patches be installed before MS05-001 in order for it to work properly.
Another issue with the patch, he said, was that postings have already appeared on his customer forum stating that a possible exploit may have been documented.
Stephen Toulouse, security program manager with Microsoft's security response center, said that the company recommends immediate deployment of all three bulletins across the enterprise for the same reason. "Especially in the case of MS05-001 and -002," Toulouse said. "In that case, those were public vulnerabilities, which really puts customers at risk because that means that the attackers know about it as well."