I am glad atleast one security pro shares my views. There were a bunch of pros at sans and other area, telling people to install this patch. And I was wondering what happened to all the best practices, defense in depth etc. Why would anyone install a patch that is untested i do not know.

I did consider deploying it for a fraction of a second, but if anything had gone wrong, I knew i would be in a support and security nightmare.

Oh and when was a 14 day turn around for a well tested patch late.... I think this was the fastest MS has responded. I do think people are making this hole seem like it was worse than it really is. This could easily been something remotely exploited without user action.

Although I always wondered how many of these malware sites survive. How come the dns registrars and ISP are not shutting these down much sooner

For the individual home/professional (non corporate), whats more important in this case, not being able to print for a few days, or exposing your entire system so such an easily exploitable vulnerability... I know I would prefer to hold of printing for a few days, thats for sure.

In the mean time, the F-Secure guys seem to have tested Ilfak's patch on a number of configurations and are recommending installation of it as a temporary measure until the official patch is available.

"So in the end, wait for the official patch. And when it is available TEST IT on your own test systems before deploying it to your production systems."

So in the end, Microsoft tests a patch for a week just to make sure I can TEST IT on my own systems. Sounds fair, but ummm.. Never mind :D

Well Frank,

I'd test any patch before putting it into a production environment. Why? Microsoft doesn't know your business processes and won't be able to test your business applications. If a patch may render your 'wacked-CRM-like-business-tool' useless, how effective is the patch?

These days, I am pretty confident that a Microsoft tested patch can go on workstations without much testing. But I would refuse to apply a server patch until it went through thorough regression testing with our test environment. If the server goes down, the cost of lost productivity and recovery time outweigh a small test cycle first.

I think this is a perfect example of why the business world doesn't jump when security professionals start screaming. I try and follow bugtraq, but sometimes I get so irritated by the irresponsible, incomplete and just plain silly vulnerabilities that get reported. Your statement:

"Listen up. Security is about risk mitigation. NOT risk avoidance. That means that technical safeguards being deployed in an organization should mitigate against risks to get within acceptable tolerance levels WITHOUT exposing the business to new risk, or lost productivity. Now, combine that with the fact that every organization's risk tolerance levels will be different, its quite clear that blanket statements simply don't make sense."

is 100% the truth. Anyone not evaluating security risks with business tolerence levels in mind should re-evaluate thier effectiveness.

The "unofficial" patch came with a full uninstaller. Most of Microsoft's patches can't be uninstalled - so they darn well better test them...

Hey David,

Thats not exactly true anymore. Most patches coming from Microsoft can be unrolled as there is an uninstall dir in %WINDIR%. As an example, for the security patch for MS06-001 you can go into %WINDIR%\$NtUninstallKB912919$\spuninst to do your bidding.

You are right though, it is not as pretty as the unofficial patch uninstaller. But from Microsoft's position, would you want to make it easy for grandma to uninstall a security fix once it is installed? No, I wouldn't either.

yes.this is my site http://moroz.straponclub.com/black_jack/casino_black_jack.html Thanks.