A couple to a few weeks ago, Microsoft released two update files to patch up quite a number of vulnerabilities. Most notably MS04-11 and MS04-12. The first set, supposedly took care of a grand total of 14 different vulnerabilities and bugs. Just several days ago, exploits were released in the wild to take advantage of the now infamous LSASS Vulnerability which one of those patches addressed. Give this exploit a few days to stew and we now have the Sasser bug and it’s variants that are out now wreacking havoc on the internet since this past Saturday.
You might think that the answer to this new worm that’s smacking PC’s around left and right is to patch up as soon as those updates were released right? Hehe, you haven’t dealt with Windows patches yet have you? My friends, only a seasoned administrator knows not to immediately patch up the important systems in your organization with a Windows patch. Microsoft has a tendency to sometimes produce bad patches which make matters much worse. It turns out that the lovely patch for this new worm floating around has a bad tendency to knock some Windows 2000 machines out cold that are running certain VPN applications. One of my friends who runs a nice server farm of Windows 2003/Exchange 2003 machines said this patch also rendered most of his Exchange boxes dead and he’s not even running the VPN software stated in the article above! Then there’s also some reports of some SOAP specific apps failing after the new patch being installed and a few with regards to external USB drive issues!
Welcome to our world.
I tested the patches on several machines and all came out clean. I then patched 2 of my non-essential servers to see if they misbehaved. After waiting a day or two, I took care of all of the other servers with the exception of the two most important machines in my network. I waited a little while just to see if Microsoft would release a fix for the patch. Unfortunately, they didn’t and the exploit was released. At that point, you have to make a decision that no administrator should ever have to make. Do I patch a system that could possibly fail or cause some major downtime for my users because of it or do I not patch and contribute to the worm problem we are seeing now in the event that my servers become infected. Granted I have both internal and external firewalls, so even if I was infected, it would have stayed on those machines.
I got lucky and no problems happened after I patched those machines the weekend before this.
However, I feel for the admins out there who can’t run this patch reliably and have this worm beating down on them. These poor folks are being placed into a very bad situation and I can only blame Microsoft on this one. They really dropped the ball big time on this and I wish they could be held liable. If a fix for your product causes even worse problems, there is something seriously wrong in the way you do your business.