From: 	  crawdad@fnal.gov
Subject: 	New Windows Critical Vulnerabilities / Required Patches
Date: 	July 19, 2004 15:01:56 CDT
To: 	  computer-security@fnal.gov
Cc: 	  pc-manager@fnal.gov, winpol@fnal.gov

The following patches are now mandatory and their corresponding
vulnerabilities are Fermilab-Critical for the corresponding systems.


MS04-021 for every Windows system with IIS 4 installed.  (Listserv &
vmsserver1 are the only such hosts recently seen running IIS 4. But any
machine with IIS 4 installed but not enabled must also be patched.)

MS04-022 for every Windows 2000 and XP system, and NT4 if IE6 is
installed (including dual-boot, VMware or VirtualPC installations).

MS04-023 for every Windows 2000, XP and 2003 system, and NT4 if IE5.5
or IE6 is installed. (including dual-boot, VMware or VirtualPC
installations).

MS04-024 for every Windows NT4, 2000, XP and 2003 system (including
dual-boot, VMware or VirtualPC installations).


For those who'd rather see the KB numbers instead of the MS bulletin
numbers ...

MS04-021 <=> KB841373                MS04-022 <=> KB841873
MS04-023 <=> KB840315                MS04-024 <=> KB839645


Although there is not yet any network-based test for the presence of
some of the above patches, they are required to be installed by this
coming FRIDAY, JULY 23.  There have already been a few system
infections or compromises which may be due to the lack of some of the
above patches.


                Matt Crawford   <crawdad@fnal.gov>
                Fermilab Computer Security Coordinator
                +1 630 840 3461
                ** Computer security contact line: +1 630 840 2345 **