The problem with ICMP breaking (in some circumstances) is in both the
security update for MS05-019 and Service Pack 1 for Windows Server 2003.
Microsoft now has a hotfix available, but you must contact Microsoft PSS
to obtain the fix. For more information about the fix, see Microsoft KB
article KB898060 (dated today).
The KB article referenced in the security bulletin (893066) has been
updated, but the security bulletin itself has not been updates (thus no
automatic notice from Russ' e-mail for updated security bulletins).
If you try uninstalling the update for MS05-019, it presents you with a
vague dialog containing a warning about a relationship with the update
for MS05-020. Trying to get information from Microsoft about the
meaning of this dialog and whether it is saying that the update for
MS05-020 will also be automatically uninstalled, needs to be manually
uninstalled before uninstalling MS05-019, or needs to be reinstalled
after uninstalling MS05-019 has been difficult. I now have an
explanation, but have been asked to not forward the information and
instead refer people to Microsoft PSS.
(If this is a (new) standard procedure for uninstalling security
updates, I hope that there will be some documentation somewhere because
the presented dialog IMNSHO really just intimidates you and does not
give information on how to proceed.)
-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of
Darryl J Roberts
Sent: Tuesday, April 19, 2005 6:11 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: MS05-019 Breaks VPN
After installing the update in Microsoft Security Bulletin
MS05-019 on two servers at a customer site, we are no longer
able to connect via VPN to terminal services on those servers.
(Other servers that did not have the security bulletins from
last Tuesday installed can connect via VPN.)
After many hours over two days working with Microsoft Product
Support Services, we discovered that forcing the MTU size down
allowed the client to connect to terminal services. Today
Microsoft PSS reported the they have confirmed that there is
a problem with ICMP messages being incorrectly discarded
(other have opened PSS cases about this issue). This could
be why the MTU size is not being set correctly.
There will be an update to the patch in MS05-019, but as
of this time, that update is not available. A Microsoft KB
article is being written and has been assigned the number
KB898060, but as to this time, that article is not publicly
available.
I will be uninstalling the update for Security Bulletin
MS05-019 from our customers servers this evening and waiting
for the corrected patch before reinstalling it.
--
Darryl J. Roberts, MCSE, MCP+I, CompTIA CTT+, CSSA
Software Engineering Unlimited, IT Professional Services Consultancy
Ventura, CA, USA
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an
Anti-Virus product which automatically notifies the perceived sender of a
message it believes is infected may well cause more harm than good. Someone who
did not actually send you a virus may receive the notification and scramble
their support staff to find an infection which never existed in the first
place. Suggest such notifications be disabled by whomever is responsible for
your AV, or at least that the idea is considered.
--
