Re: MS silently changing security patches

From: HFNetchk Feedback (hfnetchk@MICROSOFT.COM)
Date: 04/11/02


Date:         Wed, 10 Apr 2002 17:47:11 -0700
From: HFNetchk Feedback <hfnetchk@MICROSOFT.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Current version of HFNetChk doesn't differentiate between DCs and
non-DCs, (it does differentiate between different SKUs of the product -
Pro, Server, Adv Server, etc.). A future version of hfnetchk might be
able to do this, the XML schema would probably be changed to support
notation that a patch was only applicable to DCs. (MS01-011, 24,36 were
DC only patches as well.)

In the meantime, consider a DC like a service on the system. Example:
There have been patches for the tlntsvr service - most people don't use
the service, but if we find earlier versions of tlntsvr.exe on the
system, we'll recommend that it be updated - because although you're not
using the service today, you might tomorrow, and the file should be the
most recent. DCs are a little different, you don't casually decide to
turn on a DC service, however.

The files for 02-016 are marked in the XML file as change if exist, so
if any of those files in the patch are on your server system, and they
aren't the most recent (ie what's in the patch) it will tell you you
need to install the patch. It doesn't hurt a server to apply this
patch, but it's not necessary for this issue. Future versions of
hfnetchk will have a -ignore flag where you can specify issues that you
don't want to report on.

At 04:34 PM 4/10/2002 -0400, Francis Favorini wrote:
Hi,
        Just thought I'd pass this along. Microsoft has silently
changed
the patch in MS02-008 (at least the MSXML 3.0 version). The old patch I
downloaded on 2/22/02 had version 8.20.9307.0 of msxml3.dll. The
version I
downloaded today has version 8.20.9415.0. There is no indication in the
security bulletin that anything has changed. HFNetChk alerted me that
the
file version did not match.
        The same thing happened last month with MS02-009. The patch
silently changed, although the bulletin did get updated later. It's
possible that this is simply due to a delay in the revised bulletin
getting
propagated to all the web servers. I hope this is the case.
        On a semi-related note, does anyone know why HFNetChk complains
that
MS02-016 is not applied to a Win2K server that is not a domain
controller?
Is it just because it can't identify DC's, or is there some reason to
apply
it?

-Francis



Relevant Pages

  • Re: SYSVOL GPOs re:copying
    ... If you create a test user account on each DC, does it successfully replicate to each of the other DCs? ... Stop FRS on each of the new DCs. ... open a command prompt and change directory into the GPMC scripts folder. ... The effort and/or risk in fixing this server seems to exceed the ...
    (microsoft.public.win2000.active_directory)
  • Re: 5.3-RELEASE: WARNING - WRITE_DMA interrupt timout
    ... My problem is not related to a SATA controller. ... Everything works pretty well on this server. ... the qmail MTA, an otherwise pretty powerful email program. ... I'm going to apply a patch to qmail in a few days. ...
    (freebsd-current)
  • Re: PDC Is not replicating !!
    ... server on the replication DC. ... I have ACE server installed. ... > DCs replicating by disabling replication when USN rollback is ... > If you used imaging to copy your production environment into a lab ...
    (microsoft.public.win2000.active_directory)
  • Re: Windows 2003 R2 Active Directory Performance Question
    ... In a single forest domain, like domain.com, you should make ALL DCs Global catalog server as the IM has nothing to do. ... and 1 is running DHCP) spread across multiple VLANs (multiple NICs ... buildings, some buildings are 1 mile, some are 7 miles away ...
    (microsoft.public.windows.server.active_directory)
  • Re: KB917537 Failing
    ... four days after the patch released. ... mature server OS, an enterprise-class messaging system, and automated ... if you hit the "Restart" button ... here as I had assumed this would be a common problem.. ...
    (microsoft.public.windows.server.sbs)