Confusion about versions

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 01/28/03

  • Next message: Russ: "Revised: Microsoft Security Bulletin - MS02-070"
    Date:         Tue, 28 Jan 2003 11:28:00 -0500
    From: Russ <Russ.Cooper@RC.ON.CA>

    Robert Chin wrote;

    "I'm confused about the version of the ssnetlib.dll file. In Eric post,
    it's indicated that the version of this dll file should be 2000.80.636.0
    or later to be considered patched. And in Microsoft's re-released patch
    for MS02-061, it indicates that one may need to install Q317748 after
    the installation of MS02-061. The ssnetlib.dll file version under the
    MS02-061 patch is: 2000.80.679.0. However, the same file under Q317748,
    is: 2000.80.568.0. Any clarification on this is highly appreciated."

    1. MS02-039 was the first Security Bulletin hotfix for SQL which
    addressed the vulnerability Slammer exploits. The affected file was
    ssnetlib.dll, and the first corrected version was 2000.080.0636.00. That
    was released at the end of June 2002.

    2. MS02-043 was released in August 2002, and it contained the same
    ssnetlib.dll as MS02-039.

    3. MS02-056 came along in October 2002, and it contained an ssnetlib.dll
    versioned 2000.080.0679.00.

    4. Q317748 was a SQL hotfix that was not a security bulletin. It
    addressed a handle leak that was introduced with SQL SP2. It was
    released in October 2002. I have had reports from people who have been
    running many SQL servers without that patch and have never encountered a
    problem. The specifics of the handle leak are such that it does not
    affect many installations.

    Unfortunately, Q317748 has a problem. Despite being released 3 months
    after the first SQL patch that corrected the vulnerability Slammer
    exploits, it contained the wrong version of ssnetlib.dll. Q317748
    contained 2000.080.0568.00.

    So if you had applied MS02-039, or MS02-043, or MS02-056 before Q317748
    came along, and then applied Q317748, you may have downgraded your
    ssnetlib.dll to a version that did not address Slammer. When you run
    Q317748 on a system that had an updated ssnetlib.dll, you would have
    been prompted that the file you were replacing was newer than the
    replacement (if you weren't doing this in unattended mode). If you said
    don't replace, you'd be fine, otherwise, you regressed.

    5. MS02-061 came along later in October 2002. It *did* contain the
    MS02-056 version of ssnetlib.dll, a version which addressed Slammer.
    Unfortunately, it did not include the ssmslpcn.dll from Q317748.

    6. SQL/MSDE SP3 came along January 2003. It contains updates for
    ssnetlib.dll and ssmslpcn.dll, both version 2000.080.0760.00.

    7. MS02-061 was re-released January 26th, 2003. The only change to it
    was that the ssmslpcn.dll from Q317748 (v2000.080.0568.00) was added to
    the previously released patch, and a script was wrapped around it to
    make it easier to install. As a result, MS02-061 now contains both the
    handle leak patch, and the Slammer patch, in one pre-SP3 package.

    Hope that makes it as clear as it can be.

    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

    Delivery co-sponsored by TruSecure Corporation
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit for full details.


    Relevant Pages

    • Re: MicroMonopoly aids Terrorism?
      ... > It appears your reference to sqlmag is to support the supposition ... > that the SQL patch which covered the Slammer vulnerability ... > also difficult to install). ... Microsoft also changed patch development for SQL ...
    • RE: Microsoft Security Advisory MS 03-007 - Problems
      ... We are currently researching a very specific issue with the patch. ... My first install on a freslhly built W2K ... How a Hacker Uses SQL Injection to Steal Your SQL Data! ... box giving hackers complete access to all your backend systems! ...
    • Re: Microsoft Security Advisory MS 03-007 - Problems
      ... My first install on a freslhly built W2K ... patch for this security issue. ... > Do you Yahoo!? ... How a Hacker Uses SQL Injection to Steal Your SQL Data! ...
    • Re: Patches and Updates
      ... I'm having the exact same problem, I am also running Dual CPU. ... let me install it. ... > dual CPU setup (look at the description of the patch requirement). ... >> server it says there is a patch missing for SQL but it won't load it. ...
    • Re: MicroMonopoly aids Terrorism?
      ... The patch is simple to install. ... You do not get much simpler than it is to install. ... An easier way to read newsgroup messages: ... "Someone who didn't get SLAMMER either" ...