[Full-disclosure] FYI: MS06-049 patch (920958) corrupts NTFS compression files



just FYI...

MS06-049 patch (920958) corrupts NTFS compression files.

Affected sytem
--------------

Windows 2000 SP4 + MS06-049 patch (920958)

Discussion
----------

* Discussion in english:
http://www.microsoft.com/technet/community/newsgroups/dgbrowser/en-us/default.mspx?&query=920958&lang=en&cr=US&guid=&sloc=en-us&dg=microsoft.public.win2000.file_system&p=1&tid=d826afe9-2ab1-4b2f-ae11-cc27702f574a
* Discussion in japanese:
http://slashdot.jp/~oops/journal/
http://pc8.2ch.net/test/read.cgi/win/1151414872/47-
http://slashdot.jp/security/article.pl?sid=06/09/10/068243

How to demonstrate
------------------

1. Creat folder on NTFS partition.
2. Enable NTFS compression to that folder.
3. Insert Windows 2000 Installation disk to your CD-ROM drive.
4. Copy all files from Windows 2000 Installation disk to that
folder.
5. Compare.

How to prevent
--------------

Uninstall MS06-049 patch (920958).

How to find corrupted files
---------------------------

Try findcorr tool (by 147-win/1151414872):
http://211.2.20.24/pub/findcorr.lzh

C:\> findcorr.exe
Usage: findcorr [-a] [-d] [-e] path

Options:
-a Scan all files including uncompressed files.
-d Report compression directories.
-e Exact mode.

How to fix corrupted files
--------------------------

Restore them from backups.

Patch and NTFS compression
--------------------------

If you install patch, patch installer create backup folder for
uninstall, such as C:\WINNT\$NtUninstallKB920958$, and copy old
files to it.

This folder is NTFS compression enabled automatically. You
cannot turn off this feature.

Official information from Microsoft
-----------------------------------

Not yet, but they are working to fix problem.

- kjm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/