Re: Alert: Microsoft Security Bulletin - MS03-013 - Windows 2000 Warning

From: Herrick, Joe (joe.herrick@DIGEX.COM)
Date: 04/17/03

  • Next message: Mark Luczkowski: "Explorer 100% utilization in Windows XP"
    Date:         Thu, 17 Apr 2003 15:52:10 -0400
    From: "Herrick, Joe" <joe.herrick@DIGEX.COM>
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    The issue with MS03-007 was that the updated version of ntdll.dll was
    incompatible with certain versions of ntoskrnl.exe. MS03-013 appears to
    include an updated version of nsoskrnl.exe (5.0.2195.6159) which, according
    the bulletin for MS03-007, should resolve the compatiblity issue you
    mentioned. As always, test in a non-production environment.

    When I did a binary compare between the two copies of ntdll.dll, I did not
    find any difference at offset 0x8-0xA. I did find a difference at offset
    0x00D8-0x00DB, which is where the timestamp is stored in the file header,
    and another at 0x0128-0x012B, which is the image checksum. The timestamp
    bytes are part of the checksum calculation, so when the timestamp changs, so
    does the checksum.

    Joe Herrick
    NT Engineer
    joe.herrick@digex.com

    -----Original Message-----
    From: Russ [mailto:Russ.Cooper@RC.ON.CA]
    Sent: Wednesday, April 16, 2003 7:32 PM
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    Subject: Re: Alert: Microsoft Security Bulletin - MS03-013 - Windows 2000
    Warning

    Thanks to Bronek Kozicki for bringing this to my attention.

    The Windows 2000 version of MS03-013 contains numerous files not listed in
    the manifest supplied in KB 811493. In addition to the kernel files supplied
    in the other OS patches, the following files are also included;

    gdi32.dll v5.0.2195.5907
    kernel32.dll v5.0.2195.6011
    msgina.dll v5.0.2195.4733
    ntdll.dll v5.0.2195.6685
    rdpwd.sys v5.0.2195.6692
    user32.dll v5.0.2195.6000
    userenv.dll v5.0.2195.5968
    win32k.sys v5.0.2195.6003
    winlogon.exe v5.0.2195.6013
    winsrv.dll v5.0.2195.5935

    A brief check shows all to be post-SP3 versions.

    The problem here is that by including NTDLL.DLL in MS03-013, it is
    definitely applying MS03-007. As has been previously reported, there are
    definitely problems installing MS03-007 on systems which had previously
    applied a PSS supplied hotfix, check the archives for more details.

    If Microsoft has somehow fixed the problems with MS03-007, they've never
    said so. The version of NTDLL.DLL included in MS03-013 is the same as that
    included in MS03-007, however as Bronek points out;

    "Binary compare between MS03-007 and MS03-013 version of NTDLL.DLL reveals
    six different bytes (file offset 0x8-0xA and 0x128-0x12A)"

    Its also difficult to determine whether the inclusion of all of these other
    files will cause some other problems for Windows 2000 systems. Let me know
    if you encounter any.

    Meanwhile, I would strongly suggest you avoid applying MS03-013 unless you
    are able to test it in a non-production environment, and possibly wait until
    Microsoft provides some form of clarification. Both the Security Bulletin
    and its KB article are incorrect in stating they do not supercede any other
    hotfix as clearly this is not the case for Windows 2000 systems.

    More information when Microsoft decide to publish it.

    Trustworthy Computing just took another big hit today.

    Cheers,
    Russ - NTBugtraq Editor

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Have you discovered a security vulnerability related to Windows or a
    commercial product which runs on Windows?

    Need assistance crafting the format or translating your advisory to English?

    Need to verify it, or having problems contacting the Vendor?

    Contact mailto:Advisories@NTBugtraq.com

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Have you discovered a security vulnerability related to Windows or a
    commercial product which runs on Windows?

    Need assistance crafting the format or translating your advisory to English?

    Need to verify it, or having problems contacting the Vendor?

    Contact mailto:Advisories@NTBugtraq.com

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: Mark Luczkowski: "Explorer 100% utilization in Windows XP"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #176
      ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #49
      ... Subject: SecurityFocus Microsoft Newsletter #49 ... Microsoft Windows NNTP Denial of Service Vulnerability ... Microsoft IIS SSI Buffer Overrun Privelege Elevation Vulnerability ... Microsoft ISA Server H.323 Memory Leak Denial of Service... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #153
      ... MICROSOFT VULNERABILITY SUMMARY ... ZoneAlarm Random UDP Flood Denial Of Service Vulnerability ... FloosieTek FTGatePro Mail Server Path Disclosure Vulnerabili... ... Microsoft Windows NetBIOS Name Service Reply Information Lea... ...
      (Focus-Microsoft)
    • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
      ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
      (Securiteam)
    • Re: HasLayout
      ... hard drive is the Internet and the Internet is your hard drive? ... Microsoft Developer Network ... Windows Driver Kit ... Speech via the Microsoft Voice Text Object ...
      (comp.infosystems)