Code Red Update
Code Red is still alive, well, and replicating in networks around the planet. Windows 2000 Advanced Server (Win2K AS) and Win2K Server install Microsoft IIS by default, which makes nearly every vanilla Win2K system vulnerable to this Denial of Service (DoS) worm. Windows NT systems running IIS 4.x are also vulnerable. New variants continue to spread, and we, the IT professionals, are responsible for both the ease with which Code Red propagates and for the corrective action necessary to eliminate the worm.

I see daily evidence that Code Red is still madly spreading through cyberspace. Just last week, I cleaned up three Code Red-infected systems at a client site. My Internet connection has been inundated by HTTP requests from what appear to be infected systems for weeks. (By inundated, I mean 20 to 30 times per minute, all day, every day, from 10 to 15 source addresses.) Many of the source TCP/IP addresses are registered to my ISP, but repeated attempts to beg my ISP for corrective action have failed miserably. I interpret all this information to mean that many users out there are unaware that their systems are infected with Code Red.

Given the publicity Code Red has generated, I’m surprised that the IT world has been unable to eradicate the worm. It takes just one infection to spread Code Red again, like wildfire. Even if you think your network is clean, check it again. Check the notebooks your employees use for remote access. If your Win2K and NT desktop systems don’t need to host local Web sites, disable the services this worm attacks. If servers do need this functionality, download and install the updates immediately. My poor firewall needs a break.

Microsoft documents the original outbreak of Code Red in Security Bulletin MS01-33. For the most recent security rollup packages for Win2K and NT 4.0 that contain fixes for Code Red and numerous other IIS vulnerabilities, see "IIS Security Rollup Includes Code Red Fix," below.

IIS Security Rollup Includes Code Red Fix
On August 15, Microsoft released a security rollup package that contains the Code Red fix and that closes two newly discovered Denial of Service (DoS) vulnerabilities. The rollup also eliminates one malicious code opportunity and one privilege elevation opportunity in Internet Information Server (IIS) 4.0 and Internet Information Services (IIS) 5.0. The NT 4.0 rollup also includes all IIS security hotfixes released for Windows NT 4.0 since Service Pack 5 (SP5), so it supercedes the earlier security hotfixes. The bulletin indicates that the rollup also eliminates a side effect of the previous IIS cumulative patch by restoring proper functioning of User Principal Name UPN-style logons via FTP and the WWW Web service (W3SVC).

Here are the need-to-know items you should be aware of before you install the security rollup on your Win2K or NT 4.0 systems:

  • You can only eliminate four of the IIS 4.0 vulnerabilities by logging on as an Administrator and manually modifying IIS 4.0 configuration variables. The download contains information on how to manually make the required changes.
  • NT 4.0 systems must be running SP5 or SP6a. If you installed IIS 4.0 after installing the service pack and thus were required to load files from the original NT 4.0 distribution kit, you must reinstall the service pack to have a clean system. Then, you can safely apply the rollup.
  • The rollup package contains one security hotfix for Index Server (IS), but you must download and apply several other IS hotfixes separately to close all the known vulnerabilities.
  • The rollup package doesn't include security hotfixes for Microsoft FrontPage Server Extensions, so you need to research and apply these if your systems run this component.
  • On IIS 5.0 systems, you must re-enable WWW Distributed Authoring and Versioning (WebDAV) before you install the security rollup to ensure that the file httpext.dll properly updates.

Read about the details of the rollup in Security bulletin MS01-044. You must download the bundled package specific to your IIS version. If you’re running IIS 4.0,download the rollup from the Microsoft Web site. You can install this bundled update on NT systems running SP5 or SP6a. Download the IIS 5.0 update from the Microsoft Web site. You can install this package on Win2K systems running SP1 or SP2.

NT 4.0 Post-SP6a Security Rollup
I heard from several readers who installed the Windows NT 4.0 post-Service Pack 6a (SP6a) security rollup, which you can download from the Microsoft Web site. Users tell me that the rollup caused blue screens on some systems and froze keyboards and mice on others. NT 4.0, which is much more fragile than Windows 2000, is susceptible to many potential causes for blue screens and disappearing devices. I can easily imagine someone installing the security rollup on an NT 4.0 system that has been sitting in a back corner for months. With an old workhorse, it’s easy to forget that you need to reboot, start a critical service, or run a full backup before installing an OS update.

With OS patches, you should always install the update on a test system before you apply it to a production system. If the results are satisfactory on the test system, back up your production system before you apply the update. I’m down to one NT 4.0 system, and it's hidden behind a firewall, so I didn’t test the security rollup myself. I’m relying on readers to confirm or deny how well the rollup installs and functions. Let me know, and I’ll spread the word.