To Patch Or Not To Patch?

It seems with each monthly Patch Tuesday, some kind of disaster follows Microsoft’s  batch of fixes. In this case, there may be problems with one of the patches, but the federal government is taking the unusual step of insisting this patch be installed.

Both issues surround patch KB921883, or MS06-040. The patch addresses a remote code execution vulnerability in the Windows Server Service that could allow a virus to take complete control of the affected system.

The virus would take control of the system through a buffer overflow, which in turn allows a remote procedure call to launch malicious code on the exposed system and send out all kinds of attacks.

The patch affects Windows 2000, Windows XP and Windows Server 2003.

In a rare public comment, the U.S. Department of Homeland Security issued a firm notice to Windows users to immediately apply the patch. The department warned that a successful attack could be launched similar to the Blaster and Sasser worms.

“Windows users are encouraged to avoid delay in applying this security patch. Attempts to exploit vulnerabilities in operating systems routinely occur within 24 hours of the release of a security patch,” the agency said in a public advisory.

At the same time, the Windows community site reported that MS06-040 can affect encrypted Web traffic.

“It has been confirmed on several machines that this patch breaks HTTPS functions. You cannot sign in to, or access pages reliably that use certificates, (most will not work), secure communications programs fail,” reads a posting on the site.

Initial responses on the site claimed this was not the case but the thread devolved into squabbling about Firefox and Linux popularity. ActiveWin did not respond to a request for elaboration by today.

A Microsoft said that it is still early in the August release cycle and has not been able to verify any customer reports of deployment issues at this time. As for the DHS security advisory, the spokesman said Microsoft encourages customers to deploy MS06-040 on their systems as soon as possible.

Chris Andrew, vice president of security technologies at PatchLink, called the DHS advisory “an unprecedented wake-up call that organizations are taking too long to patch. With exploits spotted in the wild the day after Patch Tuesday, the 30 day average time to patch is 29 days too long,” he said in a statement to

“The MS06-040 updates are not any more critical than previous patch releases,” Andrew continued. “However, the emergency is that hackers are now closely following Patch Tuesday, predetermining vulnerabilities to exploit and targeting attacks on Wednesday.

With this month’s crop of vulnerabilities allowing remote code execution, we could be looking at a repeat of the Zotob, Slammer or Blaster worm any moment.”

News Around the Web