MS03-026 Update Problems?

From: Gavin Haslett (gavin_at_NODECAF.NET)
Date: 08/13/03

  • Next message: Brian S. Bergin: "Re: reports of DCOM worm on the loose...Report #4"
    Date:         Wed, 13 Aug 2003 11:28:34 -0500

    I just wanted to relay my experience recently with MS03-026 and see if anyone else has had such a problem;

    The patch was installed across the board on all ~200 of our servers, and a check of the registry still shows it installed. On a whim, I built myself a query to check the file versions of those files installed with MS03-026. Lo and behold, 53 of our servers (13 Windows 2000, 40 NT4) all show the wrong file versions. A quick controlled "DCOM Hack Attempt" does indeed show that those servers are in fact still vulnerable.

    Now, on most of these servers we did use a scripted rollout, so I'm not averse to the idea that the rollout may have had a bug... but we've identified 4 of the servers still showing the vulnerability that were installed by-hand. This is not a good thing as it says there's a possibility that Microsoft's installation program itself may be flawed.

    The moral of the story? Check file sizes and versions after installation of a hotfix! You never know if the update truly succeeded even if the correct registry entries were added.

    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to


  • Next message: Brian S. Bergin: "Re: reports of DCOM worm on the loose...Report #4"