Re: MS03-026 - are you patched? Windows Update isn't sure!

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 08/18/03

  • Next message: Jeffrey Thomas: "New MS03-026 worm on the loose? ICMP traffic climbing fast"
    Date:         Mon, 18 Aug 2003 12:33:40 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    In an interview with Mike Tarsala of CBS.Marketwatch.com, Microsoft's Stephen Toulouse said;
    -----
    "We put a team of people on this and could not reproduce the problem," Toulouse said. "We've made no change to the Windows Update site, and we are not aware of any of the problems that Cooper is talking about. We urge any customer who believes they might be having a problem with Windows Update installing the patch to contact us directly."

    Toulouse said that Microsoft sometimes only checks to see if a particular type of patch software had been run on a computer, but as of a few months ago the company also started checking that certain patches were up and running. He said Microsoft checked every installation of Blaster/Lovesan patch to make sure it was working successfully.
    -----

    Now I have reports of thousands of machines which Windows Update claimed were patched yet were not according to HFNetchkPro or Microsoft's own MBSA. I've received numerous emails from NTBugtraq subscribers saying the same thing, including the original message on July 30th, 2003, which I reported to NTBugtraq.

    So, I'd appreciate it if you would take the time to report your experience to secure@microsoft.com so they can try and reproduce the problem.

    As to the particular issue I spoke about, namely that Windows Update was only checking the registry key and not the files themselves...last Wednesday, August 13th, Windows Update changed its behavior. At 5:00pm EDT that day I did a demonstration for a media person where I had a W2K SP3 machine which was not patched against MS03-026 (823980). WU said it was unpatched. I then imported the registry keys that patch creates. I tested it again, and WU said it didn't need the patch.

    The reporter contacted Microsoft with the results, to which MS said they tried to recreate it and couldn't. They also argued my method was a "highly unlikely and artificial scenario."

    I worked with others until the wee hours of the morning trying to determine why they couldn't reproduce what I had. No doubt Windows Update is a cluster, so its impossible to get the timing completely accurate, but our testing showed that no matter how many times we tested Windows Update did do file checks for the files included in MS03-026. Therefore, any test like mine would be correctly reported by Windows Update. As I said, at 5:00pm EDT that wasn't the case.

    So we had a look at a bunch of other fixes, including the critical MS03-030 fix. We found Windows Update looking for several other files, like quartz.dll, but our test by changing the registry key didn't make any difference for any patch other than MS03-026.

    Therefore, our conclusion was that Microsoft did, in fact, add file checking capabilities to Windows Update "some months ago" as Toulouse claimed. However, it is clear from our testing that it didn't do anything with the information it collected about files for any patch prior to 5:00pm EDT on 8/13. After that time, it did something only with the file details returned about the files included in MS03-026.

    I haven't looked at the traffic since that night, so its possible by now they are doing something with all of the file details they collect, that would be a good thing. It remains to be seen if its true or not. That said, everyone should rescan with HFNetchkPro or MBSA as soon as they can to verify what they thought was patched is really patched (including patches other than MS03-026.)

    Given that I first reported this to NTBugtraq on 7/30, I'm very surprised by Microsoft's claims that my findings were untrue and unfounded. I'm even more surprised that they would silently make such a change and not make use of it (build file detection into WU but not use it.)

    Maybe you can help to prove my claim.

    Cheers,
    Russ - NTBugtraq Editor

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to

    http://www.trusecure.com/offer/s0100/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: Jeffrey Thomas: "New MS03-026 worm on the loose? ICMP traffic climbing fast"

    Relevant Pages

    • Re: Alert: Microsoft Security Bulletin - MS03-039
      ... The way that Microsoft patched the new RPC Part II vulnerability ... Summer's Hottest Certification Just Got HOTTER! ... To learn more about the TICSA certification, ...
      (NT-Bugtraq)
    • WHERE ARE NT4 OLD PASSWORDS STORED
      ... Sorry if this bores many of you (being an NT4 question), ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • Firewalls and DCOM
      ... Never underestimate the lengths to which your users will inadvertently go through to infect a network;)" ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • DCOM worm analysis report: W32.Blaster.Worm
      ... A Bugtraq user has already pointed out that a worm has been ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • Something changing DNS server settings
      ... When I looked in the registry of one of the affected computers, ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)