Here’s the top feeds you should be subscribed to (CVE tags are reported in brackets):

1. NIST Vulnerability Database.
2. US Cert Technical Security Alerts [CERT].
3. SecurityFocus Vulnerabilities [SF-INCIDENTS].
4. Open Source Vulnerability Database [OSVDB].
5. IBM Internet Security Systems Threats [ISS].
6. Vupen Security Advisories [VUPEN].
7. Secunia Latest Security Advisories (Unofficial) [SECUNIA].
8. eEye Security Advisories [EEYE].

The above list is also available as OPML file you can import into your feed reader.

Furthermore, you should subscribe to Operating Systems product-centric vulnerability feeds to ensure you receive timely information regarding updated packages and suggested workarounds for your infrastructure. Here’s a comprehensive list, sorted alphabetically:

1. Apple Security Announce (Mac OS X, iPhone, etc) [APPLE].
2. Checkpoint’s SmartDefense Service [CHECKPOINT].
3. Cisco’s Product & Service Security Advisories [CISCO].
4. Debian Security Advisories [DEBIAN].
5. Fedora Security Updates [FEDORA].
6. FreeBSD Security Advisories [FREEBSD].
7. Gentoo Linux Security Advisories (GLSA) [GENTOO].
8. Mandriva Security Advisories [MANDRIVA].
9. Microsoft’s Security Notification Service Comprehensive Edition [MS].
10. NetBSD Security Advisories [NETBSD].
11. OpenPKG Security Advisories [OPENPKG].
12. OpenBSD Errata [OPENBSD].
13. Red Hat Security Advisories [REDHAT].
14. Slackware Linux Security Advisories [SLACKWARE].
15. Solaris SunSolve Alerts [SUNALERT].
16. SUSE Linux Enterprise Security Advisories (also contains OpenSUSE advisories) [SUSE].
17. Ubuntu Security Notices [UBUNTU].

OS security advisory feeds are available as OPML file as well.

Have I missed anything? Please report if you find some advisory feed I accidentally missed. Also, if you’re into an Operating System security team and you don’t offer a security announcement feed, please consider making it available.

What I found out was that machines were configured to access netlogon share and run a VBScript script upon logon, to set a few things like printing shares and stuff like that. Unluckily, Windows 2000 has a problem with this, because if VBScript instantiates a WMI object and uses it to read registry keys, then WMI object is not released correctly and this locks the registry hive and therefore Windows logoff sync aborts after a long wait.

The problem is known to Microsoft and a report on the issue is published at KB 819536. Now since this lab is located in Italy and and Windows 2000 is localized in italian, Microsoft Knowledge Base site opened in Italian and the page with the bug report mentioned that an hotfix was available but one should call Microsoft support service at no charge to receive it, no link to download the file or anything. So my collegue looked up Microsoft Italia phone number and called up:

Sysadmin: «Hello, I have a problem with a Windows 2000 workstation and I need a hotfix.»
Microsoft female voice: «Ok, so I need to open a support case and have someone from the staff call you back.»
Sysadmin: «Ok.»
Microsoft female voice: «Is your workstation stand-alone or in a domain?»
Sysadmin: «Domain.» (it was a samba domain, but better not tell.)
Microsoft female voice: «Ok, listen, your machine is NOT in a domain.»
Sysadmin: «Uh?»
Microsoft female voice: «Look, if I open a enterprise support request for machines in a domain, you have to pay € 299, while if you request a stand-alone support call, it costs you just € 79.»
Sysadmin: «Erm…Your website states that hotfixes are free, aren’t they?»
Microsoft female voice: «Possibly, but just in case you need further help, your fee will be lower.»
Sysadmin: «Err…ok…nice.» (these Microsoft employees must be really fed up working for the devil himself.)
Microsoft female voice: «So, now I need your phone number and your credit card details…»

After one hour we received a call from a guy at their support team. We explained him what we needed and he told us that hotfix was free and we would not pay anything. Then he sent the hotfix over via e-mail. The hotfix worked perfectly and replaced C:\WINDOWS\system32\wbem\stdprov.dll version 1.50.1085.104 with version 1.50.1085.105.

In the hotfix e-mail he also dropped a note saying that Windows 2000 is not supported anymore and therefore hotfixes that are not security-related are not available anymore to customers (he sent the hotfix by mistake). He also said that we would not pay the hotfix he already sent, but that we should consider this information for future requests. In a subsequent phone call from him, he told me that his boss made clear that this is the official position of the company regarding hotfixes for Windows 2000.

Now the crazy thing: when I looked back on Microsoft’s knowledge base in English (USA), I noticed that on all country versions except Italy, hotfixes for all languages and all Operating Systems are available for download directly at their site at no charge (a download request link is rendered just under the title).

Moral of the story: proprietary software can actually let you down in ways you don’t imagine, so if you’re near the end of support cycle, download all the patches and hotfixes you can and make backups.