For some reason, Europe’s ‘The Final Countdown’ was playing in my head as I sat and pondered this write-up. I suppose that’s fitting given that we are about to cross the 60-day mark until Windows Server 2003 goes End-of-Life.
The concept of product EOL can be confusing, especially given the frequent cross-contamination that exists within Microsoft products. Since I suspect a number of people will be rushing to polish their legacy Server 2003 systems that they can’t migrate in the next 60 days to ensure the best possible situation once the EOL occurs, I wanted to address something that people may notice.
I’ve spoken to a few people about it with regard to past Microsoft bulletins, but MS15-048 raises the point again today, so it’s worth visiting.
Something that you may notice in the bulletin is a reference to a .NET 1.1 update for Windows Server 2003 without a matching update for .NET 1.1 on Windows Server 2003 x64. This may become more noticeable if you run a vulnerability management product like Tripwire IP360 and notice that this vulnerability is reported for .NET 1.1 on Windows Server 2003 x64 but can’t find the proper patch to install. Welcome to Microsoft and EOL products.
.NET 1.1 is officially EOL, and it has been since 2013. This means that Microsoft no longer provides updates for .NET Framework 1.1.
This is where your mind says, “But wait, Tyler… there’s a .NET Framework 1.1 patch in MS15-048.”
Your mind is correct. However, it’s not considered to be a .NET Patch; it’s technically a Windows Server 2003 update.
You see, Windows Server 2003 shipped with .NET 1.1, but Windows Server 2003 x64 did not. If you wanted .NET Framework 1.1 on Server 2003 x64, you had to install it yourself. This was done via a stand-alone installer, the one that has been EOL since 2013.
A quick way to tell if an update is available for the version of .NET Framework that shipped with Windows or the standalone version is to look at the update’s filename. Updates for the standalone will start with ‘NDP,’ while updates for the Windows Version will begin with ‘Windows.’
This is a key difference between patch management and vulnerability management. While patch management will tell you which patches are missing, vulnerability management will tell you the vulnerabilities that exist. So, regardless of the vulnerability management tools you use, keep in mind that there may not always be a patch to solve the problem they are reporting.
In this case, the security conscious individual would want to uninstall .NET Framework 1.1 from their Windows Server 2003 x64 in order to remediate the vulnerabilities.