More info about MS03-026

From: Gavin Haslett (gavin_at_NODECAF.NET)
Date: 08/17/03

  • Next message: ELLISTER Mark K: "IMPORTANT SECURITY ANNOUNCEMENT - for Windows Users re: Blaster Worm"
    Date:         Sun, 17 Aug 2003 07:53:24 -0500

    Yes, the subject that never seems to die comes back to haunt us!!

     From my email box, it appears that a lot of you are having the same
    problems with the patch that I did. There doesn't seem to be any
    pattern, no rhyme or reason and it truly is frustrating. On Friday at
    work after discovering another two unpatched machines I was heard to
    utter the phrase "This damned patch is going to be the death of me!"

    Anyway, I'm posting to fill in some more knowledge (I hope) from a
    source who wishes to remain anonymous and spoke to Microsoft about the
    patch problems. Here's what he wrote;

    "Microsoft says they've seen it many times and it is well known among MS
    PSS staff as they share info with each other (which I'm happy to hear -
    though I wish they would make this info public, perhaps in group-blog
    format or something similarly informal). They say other people have
    experienced it just like we experienced it - some portion of installs
    deployed in quiet mode do this. It's because the patch installer creates
    the registry key immediately upon launching, THEN tries to update the
    files. And if the update fails, it does not remove the registry key.
    Stupidest thing I've ever heard.

    Some of the reasons it can fail according to MS (and there are several):

    - some process can have the files open, preventing them from being
    replaced (so why create the reg key before confirming the files can be

    - if the system has not yet rebooted after patch installation, the old
    files will still be in place in c:\winnt\system32 (or wherever your
    system32 dir is of course); the new files will be in "pending rename"
    state and will not replace the old files until the next restart. (Ok, so
    why not put the reg key in after restart? Or have the reg key reflect
    that the patch is installed but not active?)

    - "network problems during patch installation" - ah, the old "blame the
    network" trick. (Again, why create the reg key before confirming the
    files can be written?)

    - permissions on the system directory or particularly the repair
    directory could be preventing installation of the new files. (Our users
    have full rights to the local filesystem, this was certainly not the
    case in our environment - and again, why create the reg key before
    confirming the files can be written?) "

    Of course, take all of this with as much of a grain of salt as you can
    stomach. MS's answers don't really seem to fit the mould at all, and
    much of this just seems like an "I don't know the answer so I'll make
    something up" type of response. Whatever the case may be, the MS03-026
    patch is not that reliable... I'd estimate about 55-60% reliability of
    installs given my experience so far (this is including the fact that I
    had to reinstall a number of times on several machines). Given that this
    is such a critical bug, to me this level of reliability is totally
    unacceptable. Thankfully the tools exist to double-check these things,
    and I've now laid down a procedure that EVERY patch coming out of
    Microsoft that we put on our servers also has a double-check mechanism
    similar to that which I put in place for this one. This probably
    excludes service packs; just too many files! I don't much feel like
    poring over THAT report with a highlighter ;)

    Here's hoping that you all have better luck with the patch, or at least
    catch failed installs before the Blaster worm comes knocking.


    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to


  • Next message: ELLISTER Mark K: "IMPORTANT SECURITY ANNOUNCEMENT - for Windows Users re: Blaster Worm"