Re: IE Security Bulletin 02-047 affects Terminal Services connecting via a web page

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 08/26/02 

Date:         Mon, 26 Aug 2002 16:20:23 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

MS02-046 updates the Terminal Services Advanced Client (TSAC) control. This control is hosted on IIS boxes. Clients connect to the appropriate page and the IIS box will download the TSAC control to the IE client (if all conditions are right). MS02-046 needs to be applied to the IIS box if the new control is to be offered to clients. Clients need no update to use this new control...however...

MS02-047 causes clients to reject the older TSAC control. Once that patch is applied, clients will no longer accept the older TSAC control, and instead, will generate an error. This only happens if the IIS box the update clients are connecting to is still offering the older TSAC control.

Some people have misunderstood that both are required, and the best installation method is to apply MS02-046 to your servers, then MS02-047 to your clients.

Susan's point in her NTBugtraq message is that, in addition to the patches, you need to also modify web pages which refer to the TSAC control. Since the control's GUID is hard-coded in the page, you must change the reference to it. A patch can't do that.

All of that information is well documented in the Microsoft Security Bulletins and references within.

I put Susan's message through because, it seems, a number of people have not fully read the bulletins, but instead, just gone ahead and installed the patch(es). This can be a common problem if you're using automated patch management systems, allowing your clients to go to Windows Update before you get there with your server, or blindly patching your systems with whatever new patch comes along.

Windows Update/Automatic Updates can easily have caused you, the IIS Server Administrator who's still trying to determine if the new TSAC control breaks your systems, to stop such testing and push the patch out regardless. Ouch, sorry about that...

Remember, not everything is fixed by simply applying a patch.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Relevant Pages

  • RE: KB831962
    ... Well my attempted client patch also failed. ... you or anyone else tell me how I am supposed to patch the clients that are ... servers don't appear in the KB831962 collection created as per the KB article. ... Why would SMS clients need to patch the source MSI? ...
    (microsoft.public.sms.setup)
  • Re: Dedicated admin to handle patch management ?
    ... The lead adminof specific servers are best positioned to ... assess impacts (of patch and of outage schedule), ... test clients receiving patches before the bulk when there is space ... technicianunder the oversight of the point-man or sysadmins. ...
    (microsoft.public.security)
  • Re: CR II - winME? confirmation? (Slightly OT)
    ... since ALL IIS5 and IIS4 servers are ... I just came across a situation today where one of my clients ... my logs isn’t just traffic from the new CR, but also from every home system ... system) and patch their systems before they put them back on-line. ...
    (Vuln-Dev)
  • Re: Help with setting up Sites.
    ... Site A - respresenting physical site B ... servers is increasing by the day. ... Do you have any DCs at SiteB? ... clients servers in the relevant sites to authenticate against them. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ntp server pool advice
    ... all clients are independent to each other and connected to adsl. ... six ntp servers are located in each site ... Can clients and/or servers communicate with both private and public addresses? ... Subject: ntp server pool advice ...
    (comp.protocols.time.ntp)