[THIN] Re: New Critical MS Fix MS06-040 ?!?!

  • From: "Monroe, Frank" <Frank.Monroe@xxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Sun, 13 Aug 2006 21:01:44 -0400

Agreed, wrong choice of words.  However, while the rest of the world was
being attacked over the past 5-6 years from the various known Windows
exploits due to the holes in the various Windows services, we were
sitting happy, not one attack and we have laptops that travel the world.
We due still patch.  But one of our laptops may be out of the building
for weeks or even months at a time and it may not be patched for a
while.  With this approach, they are about as immune to this type of
threat as they can be, short of disabling any service that has a
listener port.  Also, this approach protects from exploits that MS
doesn't even know exists (or at least exists yet) which is why MS
advises people to firewall at the system level as well.  This is a
proactive and preventative approach not a reactive one.  And finally I
can wait a few days while other companies apply the emergency patch and
report problems before I push a patch to a critical service that has not
had much user testing.  If the disadvantage to this approach is to
inconvenience a few consultants with their own personal equipment, its
an easy call.


________________________________

        From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Pitsch
        Sent: Sunday, August 13, 2006 5:28 PM
        To: thin@xxxxxxxxxxxxx
        Subject: [THIN] Re: New Critical MS Fix MS06-040 ?!?!
        
        
        'impossible', famous last words.  Nothing is impossible and
putting a belief into that is what typically causes problems.  
         

        Jeff Pitsch
        Microsoft MVP - Terminal Server

        Forums not enough?
        Get support from the experts at your business
        http://jeffpitschconsulting.com
<http://jeffpitschconsulting.com/> 



         
        On 8/13/06, Monroe, Frank <Frank.Monroe@xxxxxxxxxxx> wrote: 

                I don' t think you understand.  This in fact addresses
non rouge systems.  It is impossible for a system with this design to
get infected.  Since all corporate systems are configured this way, a
user can drop their laptop off on any network and not be infected.  This
is because the desktops/laptops only answer to the few IT systems that
are used to manage these systems.  So, in order for those
laptops/desktops to be infected, it would have to be infected from one
of the management systems.  And since the management systems are
configured in the same manner, they also can't be infected.  Believe me
this works and it works quite while.  We started this design immediately
after Windows 2000 was released and have not had one attack on ANY
system so far.  Of course we still patch.  But we don't have to worry
about rushing out a patch that has not been tes ted. 
                 
                I understand what you say in your second paragraph
because that's what we here from consultants all the time.  But, I
really don't have a problem inconveniencing a few consultants when the
trade off is securing our network.  If we have a consultant that doesn't
comply, then we move on to the next vendor. 


________________________________

                        From: thin-bounce@xxxxxxxxxxxxx [mailto:
thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx> ] On Behalf
Of Joe Shonk
                        Sent: Friday, August 11, 2006 9:08 AM
                        
                        To: thin@xxxxxxxxxxxxx
                        Subject: [THIN] Re: New Critical MS Fix MS06-040
?!?! 
                        

                         

                
                That only addresses rougue machines....  A user can
still take a trusted laptop home, infect it, and bring it back to the
trusted network.  Most viruses, worms and trojans are being designed to
circumvent todays security measures.  Firewalls and AV software can only
do so much against socially engineered attacks. 
                
                Also, only allowing trusted machines on your network
presents a problem for us consultants.  I prefer to use my laptop as it
has all the tools and resources I need on it.   Trying to use customer
provided machine with a limited access, tools and resource has always
been a nightmare.  It's like trying to soup up a Dodge Neon and
expecting to run well in this weekend Nascar race at Watkin Glen. 
                
                Joe
                
                
                
                On 8/10/06, Monroe, Frank <Frank.Monroe@xxxxxxxxxxx >
wrote: 

                        That's why you should enable the Windows
firewall on all desktops and
                        enable IPSEC pass-through from a specific domain
group and do the same 
                        on all servers but allow domain computers
access.  This isolates the
                        desktops so that they can only be infected by
trusted systems (if 
                        trusted they shouldn't be able to be infected).
And isolates your
                        servers to all but domain member machines.  When
you do this, if a rogue 
                        system enters your network, they may have the
worm, but the cannot
                        infect anything (except other rouge systems). 
                        
                        > -----Original Message-----
                        > From: thin-bounce@xxxxxxxxxxxxx
                        > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Landin, Mark 
                        > Sent: Thursday, August 10, 2006 9:35 AM
                        > To: thin@xxxxxxxxxxxxx
                        > Subject: [THIN] Re: New Critical MS Fix
MS06-040 ?!?! 
                        >
                        > Any vulnerability which does NOT require user
interaction to 
                        > activate is critical. A firewall helps, but if
you are on a
                        > corp network, and someone brings in an
infected PC from
                        > outside or from the road, then now you have an
infecting 
                        > agent behind the firewall, and it will
compromise any 
                        > unpatched system.
                        >
                        > Firewalls are no substitute for patching.
                        >
                        > -----Original Message-----
                        > From: thin-bounce@xxxxxxxxxxxxx
                        > [mailto: thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Matthew Shrewsbury 
                        > Sent: Thursday, August 10, 2006 6:55 AM
                        > To: thin@xxxxxxxxxxxxx 
                        > Subject: [THIN] Re: New Critical MS Fix
MS06-040 ?!?! 
                        >
                        > Any idea why this patch seems to be pushed as
urgent? It
                        > sounds like if you have a firewall blocking
ports 139 and 445
                        > there isn't any risk from the net? 
                        >
                        > Matthew Shrewsbury, MCSE+Internet MCSE 2000
CCA Server+ 
                        > Network Manager
                        >
                        > -----Original Message-----
                        > From: thin-bounce@xxxxxxxxxxxxx 
                        > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Selinger, Stephen
                        > Sent: Wednesday, August 09, 2006 4:18 PM 
                        > To: thin@xxxxxxxxxxxxx
                        > Subject: [THIN] Re: New Critical MS Fix
MS06-040 ?!?!
                        >
                        > Any update on if this patch breaks anything. I
have been 
                        > advised by my security monitoring service to
get this updated ASAP. 
                        >
                        > -----Original Message-----
                        > From: thin-bounce@xxxxxxxxxxxxx
                        > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Schneider, Chad M 
                        > Sent: August 9, 2006 7:40 AM
                        > To: 'thin@xxxxxxxxxxxxx'
                        > Subject: [THIN] Re: New Critical MS Fix
MS06-040 ?!?! 
                        >
                        > We received the e-mail of this patch late
yesterday....got a 
                        > voice mail an hour later, and another
follow-up this
                        > AM....this one is getting more attention from
M$ than I can
                        > ever recall.  They asked that we make every
effort to get 
                        > installed in the next 72 hours. 
                        >
                        > -----Original Message-----
                        > From: thin-bounce@xxxxxxxxxxxxx 
                        > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Michael Pardee 
                        > Sent: Wednesday, August 09, 2006 7:00 AM 
                        > To: thin@xxxxxxxxxxxxx
                        > Subject: [THIN] Re: New Critical MS Fix
MS06-040 ?!?!
                        >
                        > I just received an email from our MS rep
asking us if we had 
                        > tested this, what the reasons were if we
hadn't, and when we
                        > plan on rolling it out.
                        > They consider this a Level 3 patch and said it
is extremely critical.
                        >
                        > We'll focus more on our Internet accessible
nodes first (non 
                        > are TS) but will start the testing with it
internally over time.
                        >
                        > This is the first I've ever had our TAM
contact us with
                        > questions over why we wouldn't just deploy it.
                        >
                        >
                        > > From: Steve Greenberg <
steveg@xxxxxxxxxxxxxx>
                        > > Reply-To: < thin@xxxxxxxxxxxxx
<mailto:thin@xxxxxxxxxxxxx> >
                        > > Date: Wed, 9 Aug 2006 00:31:20 -0700
                        > > To: < thin@xxxxxxxxxxxxx >
                        > > Subject: [THIN] Re: New Critical MS Fix
MS06-040 ?!?!
                        > >
                        > > As usual, this is a case where patience and
logic do not
                        > rule :-)  The 
                        >
                        > > client is already in the process of applying
the patch well over a 
                        > hundred
                        > > non TS systems. It is the TS systems that we
have some influence on
                        > and
                        > are
                        > > being requested to come back with field
reports. So far on in house 
                        > test
                        > > system, no problems. 
                        > >
                        > >
                        > >
                        > > These are situations in which the client is
being "ordered" to go
                        > ahead
                        > and
                        > > install the patches. Your explanation is
perfect, but the 
                        > bottom line
                        > is
                        > > that they are going to have to go ahead and
do this, I am
                        > just hoping
                        > > someone else has jumped first and can tell
us what the bottom of the
                        > cliff
                        > > looks like!
                        > >
                        > >
                        > >
                        > >
                        > >
                        > > Steve Greenberg
                        > >
                        > > Thin Client Computing
                        > >
                        > > 34522 N. Scottsdale Rd D8453
                        > >
                        > > Scottsdale, AZ 85262
                        > >
                        > > (602) 432-8649
                        > >
                        > > www.thinclient.net
<http://www.thinclient.net/> 
                        > >
                        > > steveg@xxxxxxxxxxxxxx
                        > >
                        > >
                        > >
                        > >   _____ 
                        > >
                        > > From: thin-bounce@xxxxxxxxxxxxx
                        > [mailto: thin-bounce@xxxxxxxxxxxxx
<mailto:thin-bounce@xxxxxxxxxxxxx> ] On
                        > Behalf
                        > > Of Rick Mack
                        > > Sent: Tuesday, August 08, 2006 11:36 PM
                        > > To: thin@xxxxxxxxxxxxx
                        > > Subject: [THIN] Re: New Critical MS Fix
MS06-040 ?!?! 
                        > >
                        > >
                        > >
                        > > Hi Steve,
                        > >
                        > >
                        > >
                        > > Patching the server service on file/print
backend servers and TS is 
                        > kind
                        > of
                        > > scary considering the things that could
break. 
                        > >
                        > >
                        > >
                        > > I'm fairly pragmatic about this sort of
thing because at the end of
                        > the
                        > day,
                        > > it's all about risk management.
                        > >
                        > >
                        > > 
                        > > I wouldn't disregard a critical update on my
internet
                        > exposed systems
                        > but
                        > > production TS is a different story. 
                        > >
                        > >
                        > >
                        > > Taking past experience into account, in an
adequately 
                        > secured internal
                        >
                        > > network, the Microsoft security hotfixes
have caused more system
                        > outages
                        > > than any exploits.
                        > >
                        > >
                        > >
                        > > Any internet-exposed systems should have the
server service disabled 
                        > as a
                        > > matter of course, in addition to appropriate
firewall filtering etc. 
                        > > Educational environments with TS/Citrix
should be using internal
                        > firewalls
                        > > to limit exposure to ICA/http only. 
                        > >
                        > >
                        > >
                        > > It's a question of what's a bigger risk, a
known exploit 
                        > with defined
                        > > work-arounds or an unknown failure due to
inadequate regression
                        > testing in 
                        > > the fix?
                        > >
                        > >
                        > >
                        > > If potential buffer overflow vulnerabilities
in the server service 
                        > were
                        > the
                        > > only vulnerabilities in the average internal
network, we'd be pretty 
                        > darn
                        > > secure.
                        > >
                        > >
                        > >
                        > > My recommendation is don't be panicked into
installing this 
                        > hotfix in
                        > > production. Test it in a development
environment, if that's okay 
                        > install
                        > on
                        > > a single production server. If nothing has
broken after a couple of
                        > weeks
                        > > and nobody else is hurting, then patch your
production systems.
                        > >
                        > > 
                        > >
                        > > I'll let you know what it breaks in a
month's time ;-)
                        > >
                        > >
                        > >
                        > > regards,
                        > >
                        > >
                        > >
                        > > Rick
                        > >
                        > > 
                        > >
                        > > Ulrich Mack
                        > > Volante Systems
                        > >
                        > >   _____
                        > >
                        > > From: thin-bounce@xxxxxxxxxxxxx on behalf of
Steve Greenberg 
                        > > Sent: Wed 9/08/2006 16:04
                        > > To: thin@xxxxxxxxxxxxx
                        > > Subject: [THIN] New Critical MS Fix MS06-040
?!?!
                        > >
                        > > Does anyone have experience yet with this
new critical patch in 
                        > production
                        > > 2003/PS4 environments?
                        > >
                        > >
                        > >
                        > >  <
http://www.microsoft.com/technet/security/Bulletin/ms06-040.mspx
<http://www.microsoft.com/technet/security/Bulletin/ms06-040.mspx> >
                        > >
http://www.microsoft.com/technet/security/Bulletin/ms06-040.mspx
                        > >
                        > >
                        > >
                        > > We have customers who are asking for any
available feedback on the 
                        > effect
                        > of
                        > > installing this new critical fix as they are
being required 
                        > to deploy
                        > it
                        > > right away in production!!!
                        > >
                        > >
                        > >
                        > > Any experience? Any gotchas?? 
                        > >
                        > >
                        > >
                        > > thanks
                        > > 
                        > >
                        > >
                        > > Steve Greenberg
                        > >
                        > > Thin Client Computing
                        > >
                        > > 34522 N. Scottsdale Rd D8453 
                        > >
                        > > Scottsdale, AZ 85262
                        > >
                        > > (602) 432-8649
                        > >
                        > > www.thinclient.net
<http://www.thinclient.net/> 
                        > >
                        > > steveg@xxxxxxxxxxxxxx
                        > >
                        > >
                        > >
                        > >
                        >
##############################################################
                        > ##########
                        > ####
                        > > #########
                        > >
                        > > This e-mail, including all attachments, may
be confidential or 
                        > privileged.
                        > > Confidentiality or privilege is not waived
or lost because
                        > this e-mail
                        > has
                        > > been sent to you in error. If you are not
the intended recipient any
                        > use,
                        > > disclosure or copying of this e-mail is
prohibited. If you have
                        > received
                        > it
                        > > in error please notify the sender
immediately by reply e-mail and
                        > destroy
                        > > all copies of this e-mail and any
attachments. All liability for 
                        > direct
                        > and
                        > > indirect loss arising from this e-mail and
any attachments
                        > is hereby
                        > > disclaimed to the extent permitted by law.
                        > >
                        > >
                        >
############################################################## 
                        > ##########
                        > ####
                        > > #########
                        > >
                        > >
                        >
##############################################################
                        > ##########
                        > ####
                        > > #########
                        > > This e-mail, including all attachments, may
be confidential or 
                        > privileged.
                        > > Confidentiality or privilege is not waived
or lost because
                        > this e-mail
                        > has
                        > > been sent to you in error. If you are not
the intended recipient any
                        > use,
                        > > disclosure or copying of this e-mail is
prohibited. If you have
                        > received
                        > it
                        > > in error please notify the sender
immediately by reply e-mail and
                        > destroy
                        > > all copies of this e-mail and any
attachments. All liability for 
                        > direct
                        > and
                        > > indirect loss arising from this e-mail and
any attachments
                        > is hereby
                        > > disclaimed to the extent permitted by law.
                        > >
                        >
############################################################## 
                        > ##########
                        > ####
                        > > #########
                        > >
                        > >
                        > >
                        >
##############################################################
                        > ##########
                        > ####
                        > > #########
                        > >
                        > > This e-mail, including all attachments, may
be confidential or
                        > privileged.
                        > > Confidentiality or privilege is not waived
or lost because
                        > this e-mail
                        > has
                        > > been sent to you in error. If you are not
the intended recipient any 
                        > use,
                        > > disclosure or copying of this e-mail is
prohibited. If you have
                        > received
                        > it
                        > > in error please notify the sender
immediately by reply e-mail and
                        > destroy
                        > > all copies of this e-mail and any
attachments. All liability for 
                        > direct
                        > and
                        > > indirect loss arising from this e-mail and
any attachments
                        > is hereby
                        > > disclaimed to the extent permitted by law.
                        > >
                        > >
                        >
############################################################## 
                        > ##########
                        > ####
                        > > #########
                        > >
                        > >
                        >
##############################################################
                        > ##########
                        > ####
                        > > #########
                        > > This e-mail, including all attachments, may
be confidential or 
                        > privileged.
                        > > Confidentiality or privilege is not waived
or lost because
                        > this e-mail
                        > has
                        > > been sent to you in error. If you are not
the intended recipient any
                        > use,
                        > > disclosure or copying of this e-mail is
prohibited. If you have
                        > received
                        > it
                        > > in error please notify the sender
immediately by reply e-mail and
                        > destroy
                        > > all copies of this e-mail and any
attachments. All liability for 
                        > direct
                        > and
                        > > indirect loss arising from this e-mail and
any attachments
                        > is hereby
                        > > disclaimed to the extent permitted by law.
                        > >
                        >
############################################################## 
                        > ##########
                        > ####
                        > > #########
                        > >
                        > >
                        >
                        >
                        >
************************************************
                        > For Archives, RSS, to Unsubscribe, Subscribe
or set Digest or 
                        > Vacation mode use the below link:
                        > //www.freelists.org/list/thin
                        >
************************************************ 
                        >
                        >
************************************************ 
                        > For Archives, RSS, to Unsubscribe, Subscribe
or set Digest or
                        > Vacation mode use the below link:
                        > //www.freelists.org/list/thin
                        >
************************************************ 
                        >
                        >
                        >
                        > This communication is intended for the use of
the recipient
                        > to which it is addressed, and may contain
confidential, 
                        > personal and or privileged information.
Please contact us 
                        > immediately if you are not the intended
recipient.  Do not
                        > copy, distribute or take action relying on it.
Any
                        > communication received in error, or subsequent
reply, should 
                        > be deleted or destroyed. 
                        >
                        >
************************************************
                        > For Archives, RSS, to Unsubscribe, Subscribe
or set Digest or
                        > Vacation mode use the below link:
                        > //www.freelists.org/list/thin
                        >
************************************************
                        >
************************************************
                        > For Archives, RSS, to Unsubscribe, Subscribe
or set Digest or 
                        > Vacation mode use the below link:
                        > //www.freelists.org/list/thin
                        >
************************************************ 
                        >
                        >
************************************************ 
                        > For Archives, RSS, to Unsubscribe, Subscribe
or set Digest or
                        > Vacation mode use the below link:
                        > //www.freelists.org/list/thin
                        >
************************************************ 
                        >
                        ************************************************
                        For Archives, RSS, to Unsubscribe, Subscribe or
                        set Digest or Vacation mode use the below link: 
                        //www.freelists.org/list/thin 
                        ************************************************
                        



Other related posts: