Lesson 1: Updating Fundamentals

Microsoft continually works to improve its software. As part of this effort, Microsoft develops updates to solve problems that are discovered in software after the software is released. These problems often constitute security vulnerabilities.

There are, however, many different types of security vulnerabilities. Some have known exploits that are propagating quickly, and it is critical that these vulnerabilities are quickly fixed. Exploits are worms, viruses, Trojan horses, or other tools that can be used by an attacker to compromise a vulnerable computer. Others are less critical, and the risk of them being exploited isn’t high enough to justify the cost of rapidly deploying an update. Vulnerabilities might only apply to a handful of computers on your network, or they might affect every system. To address the wide variety of vulnerabilities, Microsoft provides several different types of updates throughout the lifecycle of a supported product.

This lesson describes the different types of updates released by Microsoft. It will also describe the Microsoft product lifecycle, which affects update management because Microsoft stops releasing security updates for products at the end of the lifecycle.

After this lesson, you will be able to

• Describe the differences between the types of updates that Microsoft might release.

• Understand the reasons to apply each type of update, and the reasons not to apply them.

• Plan around the lifecycles of Microsoft products to ensure that software used in your production environment is supported.

Estimated lesson time: 30 minutes

Introduction to Updates

An update, also known as a patch, is a file or a collection of files that you can apply to a Windows-based computer to correct a specific problem. Microsoft packages updates in a single self-contained, self-installing executable file with an .exe extension. By default, all updates automatically back up files that they replace so that you have the option of removing the update later if you want to.

Updates for the Microsoft Windows Server 2003 family and Windows XP 64-Bit Edition Version 2003 are named according to specific conventions. For updates you install on 32-bit versions of the Windows Server 2003 family, the convention is WindowsServer2003-KB######-x86-LLL.exe. For updates you install on 64-bit versions of the Windows Server 2003 family or Windows XP 64-Bit Edition Version 2003, the convention is WindowsServer2003-KB######-ia64-LLL.exe.

Updates for other operating systems and applications use a similar naming scheme. Windows XP updates, logically, use the convention WindowsXP-KB######-x86- LLL.exe, while Windows 2000 updates use the Windows2000-KB######-x86-LLL.exe convention. In all cases, ###### represents the Microsoft Knowledge Base article number, and LLL represents the three-letter language code. For example, the 32-bit English version of the update associated with Knowledge Base article 824105 is named WindowsServer2003-KB824105-x86-ENU.exe. The 64-bit French version of the update is named WindowsServer2003-KB824105-ia64-FRA.exe.

Updates are applied only to software that is already installed when you apply the update. For instance, if you uninstall Internet Information Services (IIS) and then later reinstall it, you must also reinstall any IIS updates. The exception to this, however, is service packs. After you install a service pack, fixes are applied to all components you add or reinstall without you having to reinstall the service pack.

Types of Updates

There are many different types of problems that might need to be fixed in any piece of software, and various types of problems must be dealt with differently. When a security vulnerability is discovered in Windows, Microsoft must provide an update to customers quickly so that the vulnerability can be removed before the vulnerability is exploited on a large scale.

Though most recent updates are security related, other types of updates address reliability problems. Over time, customers might find problems related to the compatibility or reliability of a piece of software. Updates that resolve these problems are less critical to customers not actively experiencing the problem, because, although they improve the software, the cost associated with not applying the update quickly is much lower.

To address the various types of problems that might need to be fixed, Microsoft provides several different kinds of software updates: recommended updates, driver updates, security updates, critical updates, hotfixes, security rollup packages, feature packs, and service packs.

Recommended updates

A recommended update addresses a non-critical, non-security-related problem. For example, the “Update for Jet 4.0 Service Pack 8” recommended update, associated with Knowledge Base article 829558, makes a handful of improvements to a commonly used database engine included with Windows. It does not remove any security vulnerabilities, however, so it is not considered a critical update or a security update.

Recommended updates might also add new features. For example, the “Microsoft Windows Journal Viewer” recommended update for Windows XP Professional and Windows XP Home Edition allows users to view files created with an application included only with tablet computers. In this example, the recommended update is not resolving a problem; it is adding new functionality to the operating system.

Driver updates

All versions of Windows come with a large number of drivers that enable support for a wide variety of hardware. The hardware vendors are generally responsible for the support of drivers, but Microsoft occasionally releases updated versions of drivers.

The fact that Microsoft occasionally releases updated versions of drivers does not relieve you of the responsibility of working with your hardware vendors to retrieve updated drivers. Microsoft does not release updated drivers until they have been officially signed by Microsoft, a process that delays the release of the software by days or weeks. Hardware vendors often release unsigned drivers to customers before they are officially released by Microsoft.

Security updates

Just about everyone who uses any variety of Windows is familiar with security updates. A security update is an update that the Microsoft Security Response Center (MSRC) releases to resolve a security vulnerability. Microsoft security updates are available for customers to download and are accompanied by two documents: a security bulletin and a Microsoft Knowledge Base article.

A Microsoft security bulletin notifies administrators of critical security issues and vulnerabilities. Usually, but not always, the security bulletin is associated with a security update that can be used to patch the vulnerability. Security bulletins generally provide detailed information about who the bulletin concerns, the impact of the vulnerability, the severity of the vulnerability, and a recommended course of action for affected customers.

Security bulletins are written for administrations, and therefore assume that the reader is technically trained and intimately familiar with Windows and security terminology. However, security vulnerabilities also affect many end users. Therefore, Microsoft also releases end-user versions of many security bulletins. These versions use a friendlier, more accessible language to describe the risks and the best ways to resolve the vulnerabilities. If available, the end-user version of the security bulletin will be referenced in the original security bulletin.

Security bulletins usually include the following pieces of information:

• Title. The title of the security bulletin, in the format MSyy-###, where yy is the last two digits of the year and ### is the bulletin number for that year.

• Summary. Information about who should read the bulletin, the impact of the vulnerability and the software affected, the security rating, and the MSRC’s recommendation for how to respond to the bulletin.

• Technical description. A detailed description of the vulnerability, and the circumstances under which the vulnerability could be exploited.

• Mitigating factors. Technical factors that reduce the likelihood of a vulnerable system being exploited.

• Severity rating. A rating of None, Low, Moderate, Important, and Critical for each type of software that the vulnerability might affect.

• Vulnerability identifier. Links to organizations external to Microsoft that classify the security vulnerability.

• Tested versions. A list of software that Microsoft has tested for the vulnerability.

• Frequently asked questions. Answers to questions that Microsoft anticipates about the specific security bulletin.

• Update availability. Locations from which to download the update.

• Additional information.Information about installation platforms, whether a reboot is needed, whether the update can be uninstalled, and how to verify that the update was successfully installed.

The severity level of a bulletin gauges the risk posed by the vulnerability that the update fixes. This severity level can be None, Low, Moderate, Important, or Critical. The MSRC judges the severity of a vulnerability on behalf of the entire Microsoft customer base. The impact a vulnerability has on your organization might be more, or less, serious.

The following is an excerpt from an actual security bulletin released for Windows Server 2003 and other Windows operating systems on July 23, 2003. This version has been edited to save space. You can find the original bulletin at http://www.microsoft.com/technet/security/bulletin/MS03-030.asp.

Unchecked Buffer in DirectX Could Enable System Compromise (819696)

Originally posted: July 23, 2003

Updated: August 20, 2003

Summary:

Who should read this bulletin: Customers using Microsoft Windows

Impact of vulnerability: Allow an attacker to execute code on a user’s system

Maximum Severity Rating: Critical

Recommendation: Customers should apply the security patch immediately

Affected Software:

DirectX 5.2 on Windows 98

DirectX 8.1 on Windows XP or Windows Server 2003

An End User version of the bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms03-030.asp.

Technical description:

There are two buffer overruns with identical effects in the function used by DirectShow to check parameters in a Musical Instrument Digital Interface (MIDI) file. A security vulnerability results because it could be possible for a malicious user to attempt to exploit these flaws and execute code in the security context of the logged-on user.

An attacker could seek to exploit this vulnerability by creating a specially crafted MIDI file designed to exploit this vulnerability and then host it on a Web site or on a network share, or send it by using an HTML-based e-mail. A successful attack could cause DirectShow, or an application making use of DirectShow, to fail. A successful attack could also cause an attacker’s code to run on the user’s computer in the security context of the user.

Mitigating factors:

By default, Microsoft Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks the e-mail-based vector of this attack because Microsoft Outlook Express running on Windows Server 2003 by default reads e-mail in plain text. If Internet Explorer Enhanced Security Configuration were disabled, the protections put in place that prevent this vulnerability from being exploited would be removed.

Severity Rating:

Vulnerability identifier: CAN-2003-0346

Tested Versions: Microsoft tested DirectX 9.0a, DirectX 8.1, DirectX 7.0.

Download locations for this patch:

DirectX 5.2, DirectX 6.1 and DirectX 7.1 on Windows 98, Windows 98 SE and Windows Millennium Edition respectively

DirectX 7.0 on Windows 2000

In addition to security bulletins, Microsoft also creates Knowledge Base articles about security vulnerabilities. However, Knowledge Base articles undergo more review than security bulletins, and they are not released until after the bulletin. Knowledge Base articles generally include more detailed information about the vulnerability, and step- by-step instructions for updating affected computers.

Critical updates

A critical update is released quickly to all customers, like a security update. However, critical updates are not related to security problems, and they do not have associated bulletins. A critical update will be associated with one or more Knowledge Base articles that describe the problem and the update in detail.

Because critical updates, like security updates, are released to customers as quickly as possible, they do not undergo extensive testing from Microsoft. Critical updates should be handled differently from security updates, however. You do not need to apply a critical update unless you are actively experiencing the problem resolved by the update. Instead, you should wait for the next service pack to be released, because the service pack will include the update and will have gone through testing to ensure compatibility. Security updates, on the other hand, should be applied proactively to prevent vulnerabilities from being exploited.

Hotfixes

A hotfix is a package that includes one or more files to address a problem for a specific customer. Generally, you receive a hotfix only when you have been working with Microsoft Product Support Services (PSS) and they determine that the problem you’re experiencing is caused by a bug in Microsoft software. They will probably release an update to the bug to the general customer population, but that might take several months. In the meantime, PSS provides you a hotfix to resolve the problem.

Hotfixes developed for the current shipping service pack will not be automatically created for the immediately preceding service pack. Customers who want a hotfix on the immediately preceding service pack should contact Microsoft and request the hotfix. Security patches released with bulletins from the Microsoft Security Response Center will be reviewed and built for the immediately preceding service pack whenever commercially viable.

Security rollup packages

There have been times when Microsoft has released a significant number of security and critical updates between service packs. It is cumbersome to install a large number of updates separately, so Microsoft releases a security rollup package (SRP) to reduce the labor involved in applying updates. An SRP is a cumulative set of hotfixes, security updates, critical updates, and other updates that are packaged together for easy deployment. An update rollup generally targets a specific area of a product, such as security, or a component of a product, such as IIS. SRPs are always released with a Knowledge Base article that describes the rollup in detail.

Feature packs

Feature packs are not released to fix problems with existing software, but to add new features. In the past, Microsoft included new features with service packs, but customers were wary of installing updates that added new features that could potentially introduce new bugs. Now, service packs contain only updates to existing software, and Microsoft releases feature packs to add functionality. Feature packs are typically included with the next release of the product.

Service packs

A service pack is a cumulative set of all the hotfixes, security updates, critical updates, and other updates that have been created for a Microsoft product. A service pack also includes fixes for other problems that have been found by Microsoft since the release of the product. Service packs might also contain a limited number of customer- requested design changes or features. Like critical updates, service packs are available for download and are accompanied by Knowledge Base articles.

The chief difference between service packs and other types of updates is that service packs are strategic deliveries, where updates are tactical. That is, service packs are carefully planned and managed, and the goal is to deliver a well-tested, comprehensive set of fixes that is suitable for use on any computer. In contrast, security updates and critical updates are developed on an as-needed basis to combat specific problems that require an immediate response.

Microsoft does not release a service pack until it meets the same quality standards as the product itself. Service packs are constantly tested as they are built, undergo weeks of rigorous final testing that includes testing in conjunction with hundreds or thousands of non-Microsoft products, and undergo a beta phase during which customers participate in the testing. If the testing reveals bugs, Microsoft will delay the release of the service pack.

Product Lifecycles

Updates might seem like a nuisance, but keeping software updated is critical for keeping your computers protected against vulnerabilities that are constantly being discovered. But there does come a point when Microsoft stops releasing updates for a particular product. Every product has a lifecycle, and at the end of the lifecycle, Microsoft stops providing updates. This doesn’t mean that no new vulnerabilities will be discovered in the product, however. To keep your system protected from the latest vulnerabilities, you will need to upgrade to the latest operating system.

Microsoft offers a minimum of five years of mainstream support from the date of a product’s general availability. When mainstream support ends, businesses have the option to purchase two years of extended support. Additionally, online self-help support, such as the Knowledge Base, will still be available.

Security updates will be available through the end of the extended support phase— seven years after the date of the product’s general availability—at no additional cost for most products. You do not have to have an extended support contract to receive security fixes during the extended support phase. This means that Microsoft will release security updates for Windows Server 2003 until at least 2010, as shown in Figure 5.1. In all likelihood, your organization will have upgraded its Windows Server 2003–based computers to a newer operating system by then. However, you must keep the product life cycle, and particularly the period during which security updates will be released, in mind when planning future operating system upgrades.

Figure 5.1: The Windows Server 2003 product lifecycle

You have to keep reasonably up-to-date on updates to continue to receive Microsoft support, because Microsoft only provides support for the current and immediately preceding service pack. This support policy allows you to receive existing hotfixes, or to request new hotfixes, for the currently shipping service pack, the immediately preceding service pack, or both during the mainstream phase.

Chaining Updates

In the past, installing multiple updates on a computer required restarting the computer between each update. If an administrator was installing several updates, the downtime on the server could be significant. Microsoft introduced the QChain tool to allow administrators to install multiple updates on computers running Microsoft Windows NT, Windows 2000, and Windows XP without restarting the computer after each update is installed. QChain handled the complexities that arose when applying multiple updates, such as ensuring that the correct version of a file is retained if it is included in multiple updates. Using QChain required creating a script to install the multiple updates and then starting QChain from the script.

Windows Server 2003 does not require the use of QChain, because QChain functionality is built into all new updates, including every update released for Windows Server 2003. To install multiple updates, you only need to launch each update’s executable file using the /Z and /M parameters, and then restart the computer if necessary. The following is a sample batch file that could be used to install three updates located in the Z:\updates\ folder:

Z:\updates\WindowsServer2003-KB999997-x86-ENU.exe /Z /M Z:\updates\WindowsServer2003-KB999998-x86-ENU.exe /Z /M Z:\updates\WindowsServer2003-KB999999-x86-ENU.exe /Z /M

If you use Automatic Updates with the Windows Update Service or Software Update Services (SUS), updates are automatically chained without requiring administrator intervention. Some updates, such as service packs, cannot be chained with other updates.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter.

1. Which of the following types of updates is/are cumulative? (Choose all that apply.)

   1. Updates

   2. Security updates

   3. Critical updates

   4. Hotfixes

   5. Security rollup packages

   6. Feature packs

   7. Service packs

2. Which of the following types of updates can reduce the number of vulnerabilities on a computer? (Choose all that apply.)

   1. Updates

   2. Security updates

   3. Critical updates

   4. Hotfixes

   5. Security rollup packages

   6. Feature packs

   7. Service packs

3. Which of the following types of updates have not been fully tested for compatibility by Microsoft? (Choose all that apply.)

   1. Updates

   2. Security updates

   3. Critical updates

   4. Hotfixes

   5. Security rollup packages

   6. Feature packs

   7. Service packs

4. Which of the following pieces of information are not contained in a security bulletin? (Choose all that apply.)

   1. Software affected by the vulnerability

   2. Location from which to download update

   3. Location from which to download programs that exploit vulnerabilities

   4. Severity rating

Lesson Summary

• Microsoft releases many different types of updates, including critical updates, security updates, service packs, and hotfixes.

• A security bulletin announces a new security update and contains detailed information about protecting your computers against the vulnerability.

• Chaining allows multiple updates to be applied with a single reboot.