Offense in depth

by Michael S. Kaplan, published on 2007/07/11 23:35 -04:00, original URI: http://blogs.msdn.com/b/michkap/archive/2007/07/11/3824400.aspx


It is something I found out about right after I saw the post on Shawn's blog entitled Security patch MS07-040 for .Net 2.0 breaks some culture names for .Net 2.0 on Windows XP/2003/2000.

The issue is the one I first blathered about in Important changes in NLS that span Windows and the .NET Framework.

I have to admit I do not like when this sort of thing happens.

The MS07-040 Security Bulletin text does not mention it, and neither does KB 931212 that "documents the currently known issues that customers may experience when they install this security update."

Update 3:51pm: Note that KB 939949 does talk about this change, and hopefully they will update the oher KB to link to it soon and make this blog post look horribly out of date!

Somehow this just got shoved in, and if Shawn hadn't posted about it then no one would know until applications that used to work started breaking.

How is this not an issue to at least mention?

Now please don't misunderstand me; I do think it is an important issue, and given that some platforms (like Vista) had the fix and some did not, some apps were already having problems.

But no wants "stealth" fixes, especially ones with potential backcompat breaks in them.

In my opinion, the update should have been a separate optional one, not one that you can only opt out of if you fail to pick up multiple security bug fixes. Or even if it was listed s required, it still should have been kept separate so people could opt out....

 

This post brought to you by (U+2322, a.k.a. FROWN)


# Dean Harding on 12 Jul 2007 1:00 AM:

Why is it in a security patch, anyway? What's it got to do with security?

# Michael S. Kaplan on 12 Jul 2007 1:01 AM:

That was my point, Dean. :-)

# Michael S. Kaplan on 12 Jul 2007 1:04 AM:

Well, technically that is not true. That was half of my point.

The other half is that if it is going to be included, this should be mentioned. That is a credibility issue, pure and simple.

# Dean Harding on 12 Jul 2007 1:57 AM:

> The other half is that if it is going to be included, this should be mentioned.

Oh, heh, I thought your only point was that it wasn't documented (which is a valid point, of course). Just not clear to me that you also didn't like the fact that it was in there at all (well, except the bit at the end about how it should've been an optional download... actually now that I read your post again, that point was fairly clear... ok, move along!)

# IDisposable@gmail.com (Marc C. Brooks) on 12 Jul 2007 2:11 AM:

Why even ship this in broken form? There's no conflict in leaving the "old names" active and usable.  It's not like they're going to conflict with any new culture names going forward!

# Mike Dimmick on 12 Jul 2007 5:54 AM:

Technical issue: the .NET Framework is serviced with cumulative updates to components. Due to the effects of the actual code changes on the CLR, a large part of the framework was included in the patch. It's more work, obviously, to just make the changes to fix the security issue based on the last general release.

The Windows team manages it with the GDR/QFE chains in their OS hotfixes (where the QFE chain is cumulative, and GDR contains only the changes since the last service pack or [I think] security patch). If you've installed any non-general release hotfixes (for this component?) you get the QFE version, otherwise you get the GDR version. This is much harder to do - it may even be impossible - if your installer is a Windows Installer patch.

# Michael S. Kaplan on 12 Jul 2007 6:26 AM:

Hi Mike,

Yep, this is why I am most bothered by the lack of info (though I was just pointed at KB939949, which does cover this stuff (so the only flaw is that nothing in the patch info points to this article).

# Steve on 12 Jul 2007 11:31 AM:

MS07-040 breaks a lot more then just names. It toasted a major study on an asp.net box (c#05, ss2000,asp.net2). It is causing an Exception of type 'System.OutOfMemoryException' crash that will not allow .net to run. Furthermore, when an uninstall is attempted, it dies and totally kills .net. Others are starting to awake to the issues...

http://isc.sans.org/diary.html?storyid=3132&rss


referenced by

2007/09/17 The torrents of U+fffd (aka When security and conformance trump compatibility and reality)

go to newer or older post, or back to index or month or day