[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] Accurate Accounting - THE OFFICIAL BLOG OF THE SBS DIVA
Tue, Apr 6 2004 14:18 bradley

Accurate Accounting

I really enjoy following the blog of Joe Wilcox of Jupermedia.  Today's post was about the credibility of the number of security patches as reported by Microsoft.  In his blog entry, Joe went into a bit more detail as to what methodology he used to count his number of patches and when I got to this part..... “The list of security alerts is here, for anyone that would like to do a count. I count 15 alerts, including one for Small Business Server 2003, which is at the core is Windows Server 2003. “ When I read that part, I knew he had counted at least one security bulletin wrong.

Security bulletin 04-001 caught my eye as well when it first came out because it specifically DOES list Small Business Server 2003 and anytime SBS and security bulletin are in the same sentence my alarm bells go off. 

Now maybe it's just an indication of how sick I am, but I know for a fact without even checking the website that 04-001 is actually an ISA server patch.  If they ever come out with a Security bulletin version of Trivial Pursuit, I am going to kick some ...... well you know.  03-026 - msblast.  03-029 caused RRAS issues in SBS 4.5 the first time out.  04-002 - first Exchange 2k3.  04-001 may mention SBS but that one's ISA. 

But I don't think the ISA server folks would label 04-001 as a Windows server patch, nor would I think that the Server folks would label it as one as well.  Futhermore, if you knew SBS 2003, you would know that 04-001 only truly affects SBS 2k3 Premium [not standard] and even on the Premium platform, since most of us SBSers never used the H323 stuff in the first place, they turned it off until we do need it.  Thus if you wanted to get technical about it, we aren't really vulnerable for 04-001 in the first place. 

So if I were Joe, I wouldn't be including 04-001 in any count of a Windows Server patch.  In fact, Joe might be wise to use instead an external third party site that is an industry trusted site for information on security bulletins be used to put this arguement once an for all to rest.  Why doesn't both Jupiter Media and Microsoft have Eric Schultze declare the true count?  And then both of them can stop with the “spinning” and get back to Microsoft making it easier to patch. 

Me being...well me... I emailed Joe and pointed this out. 

In the meantime, we have come a long way, but we have a long way to go.  Not too long ago you couldn't put Software Update Services on a domain controller.  Now we've got a specific SBS “how to“ whitepaper. 

As for straight talk on patches, I'll go with Eric Schultze/Shavlik's database of Windows Server 2003 patches.

I count 12.

Description Date
MS04-007 :  ASN.1 Vulnerability Could Allow Code Execution (828028) 2004/02/10
MS04-006 :  Vulnerability in the Windows Internet Naming Service (WINS) Could Allow Code Execution (830352) 2004/02/10
MS03-045 :  Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141) 2003/10/15
MS03-044 :  Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119) 2003/10/15
MS03-043 :  Buffer Overrun in Messenger Service Could Allow Code Execution (828035) 2003/10/15
MS03-041 :  Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182) 2003/10/15
MS03-039 :  Buffer Overrun In RPCSS Service Could Allow Code Execution (824146) 2003/09/10
MS03-037 :  Flaw in Visual Basic for Applications Could Allow Arbitrary Code execution (822715) 2003/09/03
MS03-034 :  Flaw in NetBIOS Could Lead to Information Disclosure (824105) 2003/09/03
MS03-030 :  MS03-030 : Unchecked Buffer in DirectX Could Enable System Compromise (819696) 2003/07/23
MS03-026 :  Buffer Overrun In RPC Interface Could Allow Code Execution (823980) 2003/07/16
MS03-023 :  Buffer Overrun In HTML Converter Could Allow Code Execution (823559) 2003/07/09
Filed under: