Re: windows update on XP Pro and MS02-013

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 10/31/02

Date:         Wed, 30 Oct 2002 18:21:33 -0500
From: Russ <Russ.Cooper@RC.ON.CA>

Microsoft have published;;en-us;q331663

regarding this issue. Basically, the Sun JRE modifies a registry key which Windows Update relies upon to determine whether MS02-013 was installed. Its not the same key used to verify MS02-052 installation. Because the key is modified, Windows Update says its not installed (I won't go back into my feelings about this form of problem).

MS' recommendation is to re-apply MS02-013.

The KB is very confusing;

1. On systems which have had MS02-052 installed, it seems reasonable to assume that despite Windows Update prompting you to install MS02-013 you are protected against vulnerabilities described in MS02-013 and MS02-052

2. On systems which have had only MS02-013 installed, you are still protected against that vulnerability, however, without re-applying MS02-013, you won't be able to get MS02-052 offered via Windows Update or Automatic Updates. I haven't checked to see if downloading the VM patch on its own and then running it will actually get it to apply (I doubt it).

3. However, if you re-apply MS02-013 on a system which already had MS02-052 then you'd also have to re-apply MS02-052, I would think, yet the KB article makes no mention of this.

4. They also don't make it clear whether or not there are any problems having the bits from MS02-052 on a system with Sun's JRE (the one that modifies the registry key).

Until its clearer, I'd recommend (if you can) holding off re-applying MS02-013 and put up with being told you need to re-apply it. Either the KB needs to be clearer, or WU/AU needs to look at another key for verification.

Of course HFNetchk and MBSA get it right, as would any other patch-checking program which doesn't rely entirely upon registry keys.

Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor