Re: MS03-026 - are you patched? Windows Update isn't sure!
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: Mon, 18 Aug 2003 12:33:40 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
In an interview with Mike Tarsala of CBS.Marketwatch.com, Microsoft's Stephen Toulouse said;
"We put a team of people on this and could not reproduce the problem," Toulouse said. "We've made no change to the Windows Update site, and we are not aware of any of the problems that Cooper is talking about. We urge any customer who believes they might be having a problem with Windows Update installing the patch to contact us directly."
Toulouse said that Microsoft sometimes only checks to see if a particular type of patch software had been run on a computer, but as of a few months ago the company also started checking that certain patches were up and running. He said Microsoft checked every installation of Blaster/Lovesan patch to make sure it was working successfully.
Now I have reports of thousands of machines which Windows Update claimed were patched yet were not according to HFNetchkPro or Microsoft's own MBSA. I've received numerous emails from NTBugtraq subscribers saying the same thing, including the original message on July 30th, 2003, which I reported to NTBugtraq.
So, I'd appreciate it if you would take the time to report your experience to email@example.com so they can try and reproduce the problem.
As to the particular issue I spoke about, namely that Windows Update was only checking the registry key and not the files themselves...last Wednesday, August 13th, Windows Update changed its behavior. At 5:00pm EDT that day I did a demonstration for a media person where I had a W2K SP3 machine which was not patched against MS03-026 (823980). WU said it was unpatched. I then imported the registry keys that patch creates. I tested it again, and WU said it didn't need the patch.
The reporter contacted Microsoft with the results, to which MS said they tried to recreate it and couldn't. They also argued my method was a "highly unlikely and artificial scenario."
I worked with others until the wee hours of the morning trying to determine why they couldn't reproduce what I had. No doubt Windows Update is a cluster, so its impossible to get the timing completely accurate, but our testing showed that no matter how many times we tested Windows Update did do file checks for the files included in MS03-026. Therefore, any test like mine would be correctly reported by Windows Update. As I said, at 5:00pm EDT that wasn't the case.
So we had a look at a bunch of other fixes, including the critical MS03-030 fix. We found Windows Update looking for several other files, like quartz.dll, but our test by changing the registry key didn't make any difference for any patch other than MS03-026.
Therefore, our conclusion was that Microsoft did, in fact, add file checking capabilities to Windows Update "some months ago" as Toulouse claimed. However, it is clear from our testing that it didn't do anything with the information it collected about files for any patch prior to 5:00pm EDT on 8/13. After that time, it did something only with the file details returned about the files included in MS03-026.
I haven't looked at the traffic since that night, so its possible by now they are doing something with all of the file details they collect, that would be a good thing. It remains to be seen if its true or not. That said, everyone should rescan with HFNetchkPro or MBSA as soon as they can to verify what they thought was patched is really patched (including patches other than MS03-026.)
Given that I first reported this to NTBugtraq on 7/30, I'm very surprised by Microsoft's claims that my findings were untrue and unfounded. I'm even more surprised that they would silently make such a change and not make use of it (build file detection into WU but not use it.)
Maybe you can help to prove my claim.
Russ - NTBugtraq Editor
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to