NT 4.0 Security Roll-up and the issue of hotfixes

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 07/27/01 

Message-ID:  <E9A01F52DC939448BBDE44ED2E1C468F167B2D@muskie.rc.on.ca>
Date:         Fri, 27 Jul 2001 14:50:15 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
Subject:      NT 4.0 Security Roll-up and the issue of hotfixes
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

-----BEGIN PGP SIGNED MESSAGE-----

I'm tired, ticked off, and well just not in the best of moods this
morning so I decided to take a swipe at my good friends over at the
Microsoft Security Response Center.

Nobody can accuse me of Microsoft bashing, god knows I think the MSRC
has done an amazing job at getting Microsoft as a whole to focus
better on security issues, but recently I was trying to nail down
just what one should do to an NT 4.0 system to make it secure.
Earlier I took a swipe at many of the administrative things folks
should do, largely from Microsoft's Security Checklist for IIS 4.0.
This time I decided to march down the Hotfix path and see just what
was needed.

I found four resources at Microsoft's web site, each, to some extent,
telling they were the place to find much needed security patch
information. The most obvious was the Technet Security Site, or the
home of the MSRC. There I looked at two pages;

http://www.microsoft.com/technet/itsolutions/security/current.asp?prod
uctid=16&servicepackid=7

A list of all bulletins relating to IIS 4.0 with SP6a installed (on
NT 4.0 one has to assume). We'll call this the IIS list.

I also got;

http://www.microsoft.com/technet/itsolutions/security/current.asp?prod
uctid=2&servicepackid=7

just for fun, trying to validate the IIS list. We'll call this one
the NT list.

I also went to;

http://windowsupdate.microsoft.com/

from my NT 4.0 test server, to see what it would tell me. We'll call
this the WU list.

Finally I went to;

http://www.microsoft.com/downloads/search.asp? and put
"security_patch" in as a keyword and specified the NT 4.0 OS. This is
referenced many times in Microsoft Security Bulletins as the place to
look for security patch information. We'll call this the Download
list.

Well, to my amazement, the results were anything but understandable.

IIS List = 26 Bulletins
NT List = 35 Bulletins
WU List = 23 Bulletins
Download List = 5 Bulletins

Combined List = 78 Bulletins

After reading every bulletin to remove superceded patches;

Filtered List = 53 Bulletins

This largely due to the release of MS01-026 which superceded 21
patches for IIS 4.0.

The Bulletins pertained to;

- - NT 4.0 with SP6a (only) default install
- - IIS 4.0 (and anything from a default install of the NT 4.0 Option
Kit)
- - IE 4.01 SP2 (recommended by the Security Checklist)

Then yesterday, or the day before, Microsoft finally released the NT
4.0 Security Roll-up (Q299444), a suite of patches for NT 4.0 that's
similar to the MS01-026 patch for IIS 4.0. Q299444 supercedes 27
patches for NT 4.0.

So with the combination of MS01-026 and Q299444, you now only have to
worry about applying 29 patches (incl. MS01-026 and Q299444), no
doubt that makes you feel a whole lot better.

Its well worth noting that the above lists are for patches. Patches
alone won't make your box immune to attacks that are known to be in
the wild, administrative actions like those done by the script I
produced are also required to get rid of vulnerabilities like
MS99-025 (RDS) and others.

Its no wonder there's so many insecure machines and so many people
that can't keep up, what's a person to do with there's so many
differing suggestions being made by Microsoft and none of them are
complete?

Microsoft Security Response Center needs to move away from the
product-centric approach to Bulletins and move to a more realistic
role-based approach. If they started with "Default installation of
X", then provided you with a *complete* list of what you needed to
apply, that would be way better than what we have today.

I know the MSRC's resources are limited, but what they really need to
do is treat this stuff like they'd treat any other popular product.
Give it a Dev team, Evangelists, Product Management, Marketing, and a
budget that recognizes what the heck they're doing (and not 5 or 6
people, but 50+). Then tell every other Product team to get on board
now or get fired, and make this whole process easy and understandable
by the masses.

Anyway, more about that in a subsequent post.

I'll be revising my IIS 4.0 patches page shortly with the lists I've
come up with, meanwhile here are the links to the new roll-up patch;

http://support.microsoft.com/support/kb/articles/q299/4/44.asp?ID=2994
44

http://www.microsoft.com/technet/itsolutions/security/news/nt4srp.asp

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBO2G35xBh2Kw/l7p5AQGNbAP/ZX+VTvj+qB045kHfIUpBhZZ3/x5c9l2I
WC9ip5BgHMIhklqSMPhYN0FPxU0MNKwaY3HMbMEPBnR7tO3UmhFtmOfTNYM7lRs2
2p5f+sZNH3i4KuPAK6uNz939vRy0SF0IP4IeyGapu6SzFm717FlIR4+4UC16eL9R
8CrVEIJQSEM=
=urDl
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
Delivery co-sponsored by Trend Micro
============================================================================
TREND MICRO REAL-TIME VIRUS ALERTS
If you would like to know about a virus outbreak before CNN and ZDNet get
Trend Micro Virus Info Feed FREE. Simply copy and paste a small piece of
code to give your visitors a real-time top 10 list and the latest virus
advisories. Setup takes just 10 minutes and requires no server-side code on
your Web site. All content is updated automatically from Trend Micro's Web
site.
http://www.antivirus.com/banners/tracking.asp?si=8&bi=237&ul=/syndication/
vinfo/
----------------------------------------------------------------------------

Relevant Pages