Microsoft admits MS10-025 patch didn't fix vulnerability
Summary: Microsoft has yanked the security updates shipped in the MS10-025 bulletin after realizing the patch did not fix the underlying security vulnerability.
Microsoft has yanked the security updates shipped in the MS10-025 bulletin after realizing the patch did not fix the underlying security vulnerability.
The withdrawal of the bulletin means that affected Windows 2000 Server users should immediately consider applying mitigations and workarounds to avoid malicious hacker attacks.
The company did not explain why the bulletin was shipped with an inadequate patch. A brief blog post from Microsoft's Jerry Bryant offered the following:
Today we pulled the update because we found it does not address the underlying issue effectively. We are not aware of any active attacks seeking to exploit this issue and are targeting a re-release of the update for next week.
The issue only affects Windows 2000 Server customers who have installed Windows Media Services (a non-default configuration).
Bryant urged affected users with internet facing systems with Windows Media Services installed to evaluate and use firewall best practices to limit their overall exposure.
The MS10-025 bulletin is rated "critical" because attackers could launchi remote code execution if an attacker sent a specially crafted transport information packet to a Microsoft Windows 2000 Server system running Windows Media Services.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
The truly sad thing about your post is...
this article we will see.
But you have to wonder...
I know SOME of the atrocious spelling and grammar is an attempt to beat content filtering, but their posts go above and beyond that.
Irony:
More irony
he considers himself a master-debater
That's hardly being fair.
If you disagree with his posts attack them on their merits (or lack thereof).
You can feel the ground shaking as the trolls come running.... (nt)
No Captain, I am not going to say anything.
still trying to recover from NonZealot calling me dumb in the article
talking about Apple quality. :-)
So this dummy will just sit back and smile.
NonZealot, are you sure you don't want to reinstall Mac OS on your
Macbook?
Whoops, I guess I did say something. Sorry.
RE: Microsoft admits MS10-025 patch didn't fix vulnerability
there that skipping QA can come back and bite you in the
proverbial rear end.
How much QA should there be for a 10 yr old, obsolete product that is...
And since the vulnerability exists only for those with the non-default config, I doubt too many are bit in their rear end.
Further, this non-working patch doesn't melt the o/s down, like McAfee's botch job; it simply doesn't correct the original vulnerability.
If we were talking about Win 7, there would be reason for concern...this is a non-issue.
Still many people still running Windows 2000.
Well, no, probably not that many that are affected...
However you do bring up a good point; and true, many still do run 2k Server...but after July, at what price?
When vulnerabilities are found in August, or if Win 2k needs another time zone fix in the future, or whatever else... will those people start shelling out money (that could have otherwise been spent on up-to-date o/s and hardware) to MS for hotfix support? (if that will even be available from MS) How long will that take to add up to the cost of new hardware and new server o/s?
Conversely, if they "eek through their current situation and...upgrade later" and are breached due to a unpatched exploit found after the sunset date...what kind of price tag are they looking at then? not only in recovery costs but in reputation?
2k server's sunset date isn't a surprise, just like XP's sunset in 2014 isn't a surprise. We knew some time ago that 2k sp4 was going to be the last service pack for 2k, those people could have started planning, and budgeting, then. (Back when times [i]were[/i] good.)
Just like today, the time to start planning (and budgeting) for a transition from XP to Win 7, *nix, or whatever is now...so when we can afford it ($ and time wise), we can do it.
The idea that "we bought X technology at one point in time, and we won't ever have to worry about replacing or upgrading" is a very bad one.
To Each his/her Own, they were warned! nt
Actually, the vulnerability exists in Win2K SP4 (which is 5 years old, and
Until they let people update to a newer OS for free,
QA matters in this OS which people paid them for.
Why would they give a newer version away for free?
Because when they sold it, part of the deal was they would keep it updated.
So what you're saying is...
Sounds fair.
He did not say that.
I heard him say it, yes I did.
Nope. Try to read more carefully next time.
support it for a certain amount of time. As in, ensure that it continues to be fit
for use. Thus, it is their responsibility to make sure it works right until that time
(which has not yet come to pass). If it's not possible for them to keep it working
for as long as their contract dictates, the alternative would be to give a
replacement. I'm not sure what is so hard to understand about this.
Try that with your local car dealership