Re: MS03-026 - are you patched? Windows Update isn't sure!
From: Dan Sackinger (dsackinger_at_STBERNARD.COM)
Date: 08/05/03
- Previous message: Thor Larholm: "FW: Notepad popups in Internet Explorer and Outlook"
- Maybe in reply to: Firstname Lastname: "Re: MS03-026 - are you patched? Windows Update isn't sure!"
- Next in thread: Russ: "Re: MS03-026 - are you patched? Windows Update isn't sure!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 5 Aug 2003 13:52:47 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
There has been much discussion lately about the accuracy of using
registry checks to determine if a patch is installed on a given machine.
Many patches install a registry key to indicate that they have been
installed on a machine. In most cases, checking this key is adequate to
determine if a patch is installed. This does not guarantee that the
patch files are intact.
UpdateEXPERT uses registry keys in checking for the installation status
of many of the patches that we detect. The decision to use these
registry keys is based on a need for a high performance machine scan
that in most cases will be accurate. We test each and every patch
detection criteria on all valid platforms before certifying that a new
database is ready to be delivered to the public.
However, some people have been asking for a greater level of checking to
ensure that the actual files associated with the installed patches are
actually intact. We recognize that registry checks are not always
adequate to determine this. We have therefore developed a technology
that will enable us to do a validation of the patch files by size,
checksum and version. This exhaustive checking is offered in addition to
our standard patch detection. We gather our validation information
independently of any other public source so that we can ensure its
accuracy. We then test this validation information against every
platform and application that we support.
Most people patch their systems in an effort to make them more secure.
Security patches generally replace one or more files of the operating
system with code that fixes a vulnerability. It is important to be able
to verify that the updated code is actually installed on a given machine
to ensure that the vulnerability is removed.
A common problem that people run into when trying to verify that
vulnerabilities have been patched correctly is a failure of the
validation information to correctly take into account patch
interactions. If a file is patched to fix a vulnerability and that same
file is patched again at a later time for a different vulnerability,
what version of the file should be installed on the machine? A
reasonable assumption is that the patch vendor in most cases would make
the patch cumulative for any given file that is patched. In this case,
the latter of the two versions of the file should be installed on the
machine.
Not having an awareness of patch interaction as described above is a
likely explanation for the inconsistencies that were reported on August
1st, 2003 in the posting titled "Re: MS03-026 - are you patched? Windows
Update isn't sure!" In this case, it is likely that the MBSA is
checking for versions of files that have since been updated by other
patches.
UpdateEXPERT 6 contains a smart validation engine that dynamically
builds the list of files that are expected to be on a given machine. It
does this by first determining which patches are installed on the
machine and then calculating which versions of the total file set should
be installed on that machine. This set of information is then compared
with what is actually on that machine and any differences are reported.
We will be delivering our validation information in phases starting with
the OS information by the end of August followed rapidly by the other
applications that we support in our product.
Dan Sackinger
Development Manager - UpdateEXPERT
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Thor Larholm: "FW: Notepad popups in Internet Explorer and Outlook"
- Maybe in reply to: Firstname Lastname: "Re: MS03-026 - are you patched? Windows Update isn't sure!"
- Next in thread: Russ: "Re: MS03-026 - are you patched? Windows Update isn't sure!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
