Re: MS03-026 - are you patched? Windows Update isn't sure!

• Previous message: Ruben Bybee: "www.windowupdate.com GONE - What about the little people?"
• Maybe in reply to: Firstname Lastname: "Re: MS03-026 - are you patched? Windows Update isn't sure!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Mon, 18 Aug 2003 14:08:13 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Hoping to shed a little light on the file version checking in Windows
Update, I did my own digging into what WU looks for. It appears that
the majority of the checks are done with either registry lookups or by
querying the Windows Installer service (which amounts to a metabase or
registry lookup somewhere, right?). Sometimes, a file version is
checked. I compiled a list of files checked below (see end of message).
These are checked by the current version of WU (dated 8/15/03). Note
that in some cases, it is only sufficient for one file to be of the
correct version even when they come in a pair (an example is html32.cnv
and msconv97.dll, if either one passes the version test the patch is
considered installed).

To further complicate things, many tests are multiple levels of
<expression> and <expression> or <expression> and <expression> ...etc.
This of course leaves a wide path for errors when dealing with multiple
languages, service pack levels, existence of other patches, etc.

I don't know the answer to Russ's mystery regarding the demo he did last
Wednesday, but if someone has their
\wwwroot\dictionaries\autoupdate\win2k\items.txt file from an SUS server
from before that date we could look to see exactly what criteria WU was
looking for to determine if the patch was installed.

Currently, here is the expression for 823980 (I apologize for the
wrapping that is sure to occur on your screen):
---------------------
<detection><installed><expression>
        <and> <expression>
                        <or>
<expression><regKeyValue><key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wind
ows
NT\CurrentVersion\Hotfix\KB823980</key><entry>Installed</entry><value>1<
/value></regKeyValue>
                                </expression>
        
<expression><regKeyExists><key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Win
dows\CurrentVersion\Uninstall\KB823980</key></regKeyExists>
                                </expression>
                        </or>
                </expression>
                <expression>
                        <and> <expression>
                                <and> <expression><fileVersion
versionStatus="HIGHER_OR_SAME"><filePath
name="ole32.dll"><path>%CSIDL_SYSTEM%</path></filePath><version>5.0.2195
.6769</version></fileVersion>
                                        </expression>
                                        <expression><fileVersion
versionStatus="HIGHER_OR_SAME"><filePath
name="rpcrt4.dll"><path>%CSIDL_SYSTEM%</path></filePath><version>5.0.219
5.6753</version></fileVersion>
                                        </expression>
                                </and>
                                </expression>
                                <expression><fileVersion
versionStatus="HIGHER_OR_SAME"><filePath
name="rpcss.dll"><path>%CSIDL_SYSTEM%</path></filePath><version>5.0.2195
.6769</version></fileVersion>
                                </expression>
                        </and>
                </expression>
        </and>
</expression></installed></detection>

So, IF we have a reg value for Installed of "1" OR the uninstall key
exists AND these three files all have the correct or higher version THEN
the patch is already installed (according to WU). This is pretty fail
proof, but who's to say it always looked this way?

-Tom Geairn
NewView Consulting, LLC

-Files checked by WU on Win2k-

dxmasf.dll
msxml4.dll
rasapi32.dll
Cryptdlg.dll
gdi32.dll
ntdll.dll
Jscript.dll
ntoskrnl.exe
javart.dll
jview.exe
msjava.dll
Wmp.dll
quartz.dll
srv.sys
srvsvc.dll
html32.cnv
msconv97.dll
ole32.dll
rpcrt4.dll
rpcss.dll

-

-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Russ
Sent: Monday, August 18, 2003 11:34 AM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: MS03-026 - are you patched? Windows Update isn't sure!

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to

http://www.trusecure.com/offer/s0100/

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Previous message: Ruben Bybee: "www.windowupdate.com GONE - What about the little people?"
• Maybe in reply to: Firstname Lastname: "Re: MS03-026 - are you patched? Windows Update isn't sure!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]