More info about MS03-026
From: Gavin Haslett (gavin_at_NODECAF.NET)
Date: Sun, 17 Aug 2003 07:53:24 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Yes, the subject that never seems to die comes back to haunt us!!
From my email box, it appears that a lot of you are having the same
problems with the patch that I did. There doesn't seem to be any
pattern, no rhyme or reason and it truly is frustrating. On Friday at
work after discovering another two unpatched machines I was heard to
utter the phrase "This damned patch is going to be the death of me!"
Anyway, I'm posting to fill in some more knowledge (I hope) from a
source who wishes to remain anonymous and spoke to Microsoft about the
patch problems. Here's what he wrote;
"Microsoft says they've seen it many times and it is well known among MS
PSS staff as they share info with each other (which I'm happy to hear -
though I wish they would make this info public, perhaps in group-blog
format or something similarly informal). They say other people have
experienced it just like we experienced it - some portion of installs
deployed in quiet mode do this. It's because the patch installer creates
the registry key immediately upon launching, THEN tries to update the
files. And if the update fails, it does not remove the registry key.
Stupidest thing I've ever heard.
Some of the reasons it can fail according to MS (and there are several):
- some process can have the files open, preventing them from being
replaced (so why create the reg key before confirming the files can be
- if the system has not yet rebooted after patch installation, the old
files will still be in place in c:\winnt\system32 (or wherever your
system32 dir is of course); the new files will be in "pending rename"
state and will not replace the old files until the next restart. (Ok, so
why not put the reg key in after restart? Or have the reg key reflect
that the patch is installed but not active?)
- "network problems during patch installation" - ah, the old "blame the
network" trick. (Again, why create the reg key before confirming the
files can be written?)
- permissions on the system directory or particularly the repair
directory could be preventing installation of the new files. (Our users
have full rights to the local filesystem, this was certainly not the
case in our environment - and again, why create the reg key before
confirming the files can be written?) "
Of course, take all of this with as much of a grain of salt as you can
stomach. MS's answers don't really seem to fit the mould at all, and
much of this just seems like an "I don't know the answer so I'll make
something up" type of response. Whatever the case may be, the MS03-026
patch is not that reliable... I'd estimate about 55-60% reliability of
installs given my experience so far (this is including the fact that I
had to reinstall a number of times on several machines). Given that this
is such a critical bug, to me this level of reliability is totally
unacceptable. Thankfully the tools exist to double-check these things,
and I've now laid down a procedure that EVERY patch coming out of
Microsoft that we put on our servers also has a double-check mechanism
similar to that which I put in place for this one. This probably
excludes service packs; just too many files! I don't much feel like
poring over THAT report with a highlighter ;)
Here's hoping that you all have better luck with the patch, or at least
catch failed installs before the Blaster worm comes knocking.
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to