Re: Alert: Microsoft Security Bulletin - MS03-039

From: Greg Chapman (greg_at_MOUSETRAX.COM)
Date: 09/11/03

  • Next message: intel96: "DCOM/RPC Research Paper" 
    Date:         Wed, 10 Sep 2003 17:45:46 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    If I may, I'd like to add to Russ' polite and thorough instructions.
    Nothing wrong with telling your Corp IT guys you smell BS. If they'd
    actually read the KB article associated with the MS03-039 bulletin, they'd
    have discovered that Microsoft actually had them covered when they
    published the bulletin. That's why you can go to
    http://support.microsoft.com/?kbid=827363 ("How to Use the KB 824146
    Scanning Tool to Identify Host Computers That Do Not Have the 823980
    (MS03-026) and the 824146 (MS03-039) Security Patches Installed"), read it
    and follow the directions for getting the updated tool for the job. From
    their response, I'm afraid you'll be victim of some other poower
    assumptions coming out of their cubes. You might want to send them the
    link...but don't expect a promotion from doing so.

    The updated scan tool produces nearly identical output to that offered
    with MS03-026. But there are some key differences. Here's an example of
    the output from a scan I did of our systems about half an hour after the
    bulletin was published here:

      Patched with KB824146 and KB823980 .... 4
      Patched with KB823980 ................. 2437
      Unpatched ............................. 76
      TOTAL HOSTS SCANNED ................... 2517

      DCOM Disabled ......................... 5
      Needs Investigation ................... 3
      Connection refused .................... 34773
      Host unreachable ...................... 15930
      Other Errors .......................... 20
      TOTAL HOSTS SKIPPED ................... 50731

      TOTAL ADDRESSES SCANNED ............... 53248

    While it's not exactly the most useful output (vulnerable.txt only shows
    addresses and doesn't elaborate on the detail above), there is a host of
    usable info including the direct acknowledgement that this tools knows
    about both patches. In addition, the KB article "Buffer Overrun In RPCSS
    Service Could Allow Code Execution
    (824146)" goes on to say that:

    "Microsoft has released a tool that can be used to scan a network for the
    presence of systems which have not had the MS03-039 patch installed.
    More details on this tool are available in Microsoft Knowledge Base
    article 827363. This tool supersedes the one provided in Microsoft
    Knowledge Base article 826369 which was developed to scan systems for
    the vulnerability patched by MS03-026."

    Never use a fly swatter when a sledgehammer is available.

    Greg Chapman
    http://www.mousetrax.com
    "Counting in binary is as easy as 01, 10, 11!
    With thinking this clear, is coding really a good idea?"

    > -----Original Message-----
    > From: Windows NTBugtraq Mailing List
    > [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Russ
    > Sent: Wednesday, September 10, 2003 4:48 PM
    > To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    > Subject: Re: Alert: Microsoft Security Bulletin - MS03-039
    >
    >
    > I knew this was coming...
    >
    > ---------------- Original message -------------------
    > Russ,
    > I installed the patch (MS03-039). Now corporate (still
    > running scans for MS03-026) says I'm vulnerable. I know the
    > technical bulletin describes this in detail. If I understand
    > correctly the scanning tool needs to be updated. Corporate in
    > their infinite wisdom wants me to back out the MS03-039
    > patch. Is anyone else dealing with this?
    > ---------------- Original message -------------------
    >
    > Well, I have to say that "Corporate" needs to get their head
    > out of their...well, Ok, let me be nicer.
    >
    > 

    ----
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available.  And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
----
  • Next message: intel96: "DCOM/RPC Research Paper"

    Relevant Pages

    • www.windowupdate.com GONE - What about the little people?
      ... I sure can understand why Microsoft would want to try to thwart attacks ... learned that this address to go for Windows Updates. ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • Re: 2000 SP4 Released - Officially
      ... one cannot edit the update.inf file included with the sp4 to ... microsoft had a track record of always pushing out rock solid 'fixes' then ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • Alert: Microsoft Security Bulletin - MS03-039
      ... Who should read this bulletin: Users running Microsoft ® Windows ® ... Microsoft Windows NT Workstation 4.0 ... Summer's Hottest Certification Just Got HOTTER! ...
      (NT-Bugtraq)
    • Alert: Microsoft Security Bulletin - MS03-025
      ... End User Bulletin: An end user version of this bulletin is available at: ... Microsoft Windows Me ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • Alert: Microsoft Security Bulletin - MS03-026
      ... End User Bulletin: An end user version of this bulletin is available at: ... Microsoft Windows NT 4.0 Terminal Services Edition ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)