MS03-026 Update Problems?

• Previous message: Dallman, John: "DCOM worm & Itanium machines"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Wed, 13 Aug 2003 11:28:34 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I just wanted to relay my experience recently with MS03-026 and see if anyone else has had such a problem;

The patch was installed across the board on all ~200 of our servers, and a check of the registry still shows it installed. On a whim, I built myself a query to check the file versions of those files installed with MS03-026. Lo and behold, 53 of our servers (13 Windows 2000, 40 NT4) all show the wrong file versions. A quick controlled "DCOM Hack Attempt" does indeed show that those servers are in fact still vulnerable.

Now, on most of these servers we did use a scripted rollout, so I'm not averse to the idea that the rollout may have had a bug... but we've identified 4 of the servers still showing the vulnerability that were installed by-hand. This is not a good thing as it says there's a possibility that Microsoft's installation program itself may be flawed.

The moral of the story? Check file sizes and versions after installation of a hotfix! You never know if the update truly succeeded even if the correct registry entries were added.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to

http://www.trusecure.com/offer/s0100/

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Previous message: Dallman, John: "DCOM worm & Itanium machines"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]