Re: reports of DCOM worm on the loose...Report #4

From: Geoff Clow (GClow_at_STBERNARD.COM)
Date: 08/13/03

  • Next message: Eric: "shavlik mssecure.xml file updated" 
    Date:         Tue, 12 Aug 2003 19:07:44 -0700
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Russ [Russ.Cooper@RC.ON.CA] wrote:

    > 3. Came across another very large installation that had used St. Bernard's Update Expert to deploy MS03-026. ... that installation discovered that MS03-026 had not deployed correctly

    St. Bernard Software has attempted to corroborate this report, through our own extensive testing, through our Support records, and together with some list members who expressed an interest in the issue. Internally, we have identified one scenario that is related, as follows.

    MS03-026 requires a reboot to complete its installation. UpdateEXPERT by default will initiate the reboot. However, the user can choose to override this default, in favor of an explicit reboot (e.g., manual or through UpdateEXPERT's Console) at a later time. The installation is incomplete until the reboot occurs, though UpdateEXPERT reports the patch is installed.

    A preferred usage would be to leave the reboot automatic, and schedule installation of the patch for a later time, thereby scheduling both the installation and the reboot. This allows the reboot to occur at a convenient time while still assuring that it does in fact occur.

    We have not yet confirmed instances of this scenario in the field, and it will be resolved by our enhanced validation coming out later this month as discussed by Dan Sackinger (http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0308&L=ntbugtraq&F=P&S=&P=1599). As a benefit to the community, we would welcome anyone having useful information to contact us. For our part, we will continue to aggressively investigate the scenarios that are reported, and will publish an account to NTBugTraq of any scenarios that successfully produce the results suggested. (Contacts will be kept confidential.)

    You can provide information on this matter to me directly or by cc, and I will expedite its handling. Thanks to those who have already contributed to the dialogue.

    Regards,

    Geoff Clow
    VP, Software Engineering
    St. Bernard Software
    GClow@StBernard.com

    > -----Original Message-----
    > From: Russ [mailto:Russ.Cooper@RC.ON.CA]
    > Sent: Tuesday, August 12, 2003 6:30 AM
    > To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    > Subject: Re: reports of DCOM worm on the loose...Report #4
    >
    > Summary of information uncovered;
    >
    > 1. Windows 2000 SP2 can install MS03-026. Microsoft still isn't supporting this configuration and insist you should test it, but I have had numerous reports from people who have successfully installed it. Windows 2000 SP2 systems have been successfully compromised.
    >
    > 2. Windows Update and most 3rd party patch management applications will not offer you the ability to install MS03-026 on Windows 2000 SP2 systems. I have prepared an XML file for use with HFNetchk or MBSACli which will both check for, and recommend, MS03-026 on Windows 2000 SP2 systems.
    >
    > 3. Came across another very large installation that had used St. Bernard's Update Expert to deploy MS03-026. They deployed to Windows 2000 SP3 systems. After rechecking, that installation discovered that MS03-026 had not deployed correctly, and all of those systems needed to have the patch re-applied either manually, or via HFNetchk/MBSA.
    >
    <snip>

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to

    http://www.trusecure.com/offer/s0100/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

  • Next message: Eric: "shavlik mssecure.xml file updated"

    Relevant Pages

    • Re: Alert: Microsoft Security Bulletin - MS03-039
      ... The way that Microsoft patched the new RPC Part II vulnerability ... Summer's Hottest Certification Just Got HOTTER! ... To learn more about the TICSA certification, ...
      (NT-Bugtraq)
    • WHERE ARE NT4 OLD PASSWORDS STORED
      ... Sorry if this bores many of you (being an NT4 question), ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • Windows 2000 server issue
      ... accurately parse the lists of vulnerable machines produced by the scan ... of addresses directly on the script. ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification ...
      (NT-Bugtraq)
    • Firewalls and DCOM
      ... Never underestimate the lengths to which your users will inadvertently go through to infect a network;)" ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • Re: Drivial Pursuit: Internet Explorer Browser & Your Files and Folders !
      ... The default Enhanced Security Configuration of IE ... access to files and folders on the local machine from the internet. ... With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. ... And now, for a limited time, you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)