PDA

Vollständige Version anzeigen : Microsoft Security Info vom 07.05.2005


Günther Kramer
09.05.2005, 10:02
This Alert is to notify you of the availability of an updated hotfix for Microsoft Knowledge Base article 898060 and provide information around this updated hotfix.

The alert is also to provide you with information and answers to a number of questions that have been raised since the publication of the Knowledge Base article on 23 April 2005.

As a reminder, the Knowledge Base Article can be found here:
http://support.microsoft.com/kb/898060

The Master Knowledge Base Article for MS05-019 references this article. The Master Knowledge Base Article for MS05-019 is located here:
http://support.microsoft.com/kb/893066

1. Why was 898060 re-released?
As of 6 May 2005, as part of the ongoing code maintenance and working with customers, versions of the 898060 hotfix have been released for Windows 2000, Windows XP and Windows Server 2003.
These updated hotfixes were updated to address very limited situations where the original hotfix may not have successfully resolved all issues. These updated hotfixes contain changes to address only those circumstance.
In addition, the updated hotfix for Windows Server 2003 SP1 also contains a change to address an issue experienced only when running Internet Security Systems' (ISS) products.

2. I deployed the earlier versions of the hotfix, and I am no longer experiencing symptoms detailed in 898060, do I need to deploy the updated versions?
No. Customers who have deployed the hotfix already and are no longer experiencing the symptoms detailed in 898060 need not take any action and do not need to deploy the new versions.
However, customers who have deployed the Windows Server 2003 SP1 version of the hotfix available prior to 6 May 2005 and are no longer experiencing the symptoms detailed in 898060 BUT are experiencing issues with ISS' products should test and deploy the updated version of the hotfix.

3. I deployed the earlier versions of the hotfix, and I am STILL experiencing symptoms detailed in 898060, do I need to deploy the updated version?
Yes. Customers who have deployed the versions of the hotfixes made available PRIOR to 6 May 2005 and are STILL experiencing the symptoms detailed in 898060 should test and deploy the latest versions of the hotfix.

4. I haven't deployed any version of the hotfix, and I am experiencing symptoms detailed in 898060, what should I do?
Customers who experience the issue outlined in 898060 and have not deployed the hotfixs should deploy the latest versions of the hotfixes.

5. How can I identify if I have the latest version of 898060?
Microsoft Knowledge base article 898060 is being updated to reflect the file version information for the latest versions of the hotfixes.

6. Why was 898060 released?
Microsoft Knowledge Base Article 898060 was released to address issues encountered in a very specific and limited situation where disruptions in network connectivity may be experienced after the installation of either security update MS05-019 or Microsoft Windows Server 2003 Service Pack 1 (SP1).

7. When would these issues likely be encountered?
These issues would arise primarily in WAN and LAN configurations and scenarios where routers and data-link level protocols that have different Maximum Transmission Units (MTUs) are used across the network.

8. What were the issues encountered?
When these issues would arise, customers would report any one or more of the following:
- Inability to connect to terminal servers or to file share access.
- Failure of domain controller replication across WAN links.
- Microsoft Exchange servers cannot connect to domain controllers.

9. What causes these issues?
These issues occur because the code incorrectly increments the number of host routes on the computer when it modifies the MTU size of a host route.
The maximum number of host routes is controlled by the Registry Value in MaxIcmpHostRoutes and the default number of host routes is 1,000.
Because the code incorrectly increments the number of host, the number of host routes eventually reaches the maximum value. After the maximum value is reached, the ICMP packets are ignored creating the symptoms associated with this issue.

10. What is Microsoft's recommendation on whether I should apply 898060?
Microsoft's official recommendation is that you should apply 898060 only if you encounter these issues. This recommendation is detailed in the KB article 898060.

11. Is there any way for me to proactively tell if I'll need 898060?
This specific issue will manifest only in networking conditions are true, specifically, if different MTU's are set in the environment. Because of this, the only way to know proactively if you might encounter this issue is to determine if you use different MTU's in your environment or not.

12. It sounds like when I would need 898060 I wouldn't have network connectivity. If that's the case, I won't be able to deploy the hotfix 898060. Should I just go ahead and deploy it proactively?
While we test hotfixes as thoroughly as possible, by their nature they are not subject to the same testing as a security update, like MS05-019. Because of this, it is possible for a hotfix to have issues that have not yet been identified and thus hotfixes have a greater inherent stability risk than a broadly released update.
Microsoft's standard recommendation for hotfixes is that you only apply the hotfix when the problem it was developed to address is encountered. This is because in this circumstance, the risk of the potential for problems related to the hotfix is clearly outweighed by the immediate risk of the issue encountered.
While Microsoft does not recommend applying hotfixes proactively when the issue it was designed to address is not present, customers should perform their own risk assessment based on their specific circumstances to determine the most appropriate course of action for them.
For some customers, the risk of possible problems related to the hotfix may be outweighed by the risk of the occurrence of those problems the hotfix was designed to address. These customers may determine that the most appropriate course of action is to deploy the hotfix proactively.

13. Can I just deploy 898060 and not deploy MS05-019?
No, when deploying the hotfix Microsoft recommends that you first deploy MS05-019 and then the hotfix.

14. Can I use SUS to deploy 898060?
No. Because hotfixes are not distributed via Windows Update, it cannot be deployed using SUS.

15. Can I use SMS to deploy 898060?
Yes, you can use SMS to deploy 898060. However, you will have to manually build the deployment package for this. Because this is not detected by any security update scanning engine, you cannot use any of the automated deployment tools with this update.

16. Can I use MBSA to detect that will need 898060?
No. MBSA can detect systems that require MS05-019 but cannot detect systems that require 898060.

17. Can MBSA tell me when the hotfix has been applied?
Once the hotfix 898060 has been applied, when MBSA is run, it will raise a warning that a file version was found to be greater than expected.

18. Can I use qfecheck (KB 282784) to confirm that 898060 has been installed?
Yes, you can use qfecheck to confirm that 898060 has been installed.

19. How is Microsoft making 898060 (including the re-released versions) available to customers?
Currently, the hotfix is available as a private hotfix. Customers can obtain this by contacting Microsoft Product Support Services. The call to obtain the hotfix is no-charge.

20. Will Microsoft re-release MS05-019?
Currently, there are no plans at this time to re-release MS05-019. However, Microsoft is constantly evaluating the situation based on customer request, feedback and experiences.

If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.

Thank you,
Microsoft PSS Security Team