THE OFFICIAL BLOG OF THE SBS DIVA

So "Sky in Falling" Susan is here with the risk of 06-040 KB921883 recap:

Here's what we know.. the security patch came out for this vulnerability on Tuesday.  The exploit already had been used in targeted attacks.  Several folks have de-engineered the patch and have it in various automated vuln testing tools and what not.  So the clock is ticking.

As of right now the most vulnerable machines appear to be:

• Windows 2000
• Windows XP RTM and SP1
• Windows NT (which is out of support anyway)

Reports are that the exploit used on these Operating systems will be effective.  That someone can take full remote access.

As of right now those machines that are less vulnerable are:

• Windows XP sp2
• Windows 2003 RTM
• Windows 2003 SP1

On these platforms, it appears that the exploit will only result in a denial of service.  That's a good thing.  As I guess I'm a jaded person and denials of service are a risk I'll take over something that will take control of a machine.  What's even better is at this time, our networks are protected from this by a firewall on the outside.

...but....

That doesn't mean we don't have a risk of something finding a way over the firewall, into the inner goo of our networks (the chewy noughat of all those open file and printer sharing ports).

The risk that I see is from a worm making a machine infected but not making it noticably impared..you then use it to VPN back into your office.  VPN connections do hold a risk factor.  But for those of us who primarily use RWW, the risk level is much much lower.  One cannot say that the risk is nonexistent since someone once said the Titanic was unsinkable...and look where that got them.... but the reality is that the connection port/protocol is different.  The risk to my "borg" network of XP sp2 and Windows 2003 is a mere denial of service attack assuming something even got that far in the wall (mind you if something did I'd be on oxygen having a heart attack that something made it through my defenses).  And all the gurus tell me that the RPC process that's at risk here can't get impacted by a RWW/RDP connection from a client. All of these things are making me feel better.  I still put this patch on a fast track and approved it's deployment as fast as I could.  I just feel a lot better about the overall risks to our SBS community.  Especially those that have gotten off of XP sp1 (which is out of support in October btw)

Bottom line?  Look at how you provide connectivity to a network.  If you use VPN predominently then do your risk factor accordingly.  A worm is not live at this time.  The risk is obviously lessened because we have firewalls protecting the impacted ports from the outside.  The potential risk is only something coming over the wall.  And for many of us that only use the connectivity of RWW, that risk is now much lowered.

So right now there's no worm... at this time... and we're in the 'alert phase' mode as the MSRC would say of the incident process.

{In full disclosure, one SBS community member is in the process of getting a case opened up to review the impact of applying 06-040 to the SBS server that causes issues with access to shared resources by a XP sp2 workstation....now that said I checked with other folks that use VPN and shared resources and they are not reporting issues.. but as always if you see issues with a patch, holler so we can get to the bottom of it}