Re: Microsoft Security Bulletin MS03-049 - Installation problems?
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: Wed, 12 Nov 2003 13:48:37 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Ok, so thanks goes to Jeff Horning for pointing out I'm a dope...;-]
I think I've got it right now.
MS03-049 does not include a patch for Windows XP. The download link for Windows XP on MS03-049 actually goes to the patch from MS03-043. Would've been good for MS to make that obvious.
As MS said, the patch from MS03-043 fixes the issues discussed in MS03-049 for Windows XP systems, which explains why the link from MS03-049 goes to the patch for MS03-043.
What isn't discussed anywhere is the fact that on October 29th, when Microsoft re-released the MS03-043 patch due to the problems with the Update.exe program hanging, they actually rev'd the files in that patch. So while the MS03-043 web page INCORRECTLY says that the file versions will be as follows;
02-Oct-2003 5.1.2600.120 32,256 Msgsvc.dll (pre-SP1)
02-Oct-2003 5.1.2600.120 120,320 Wkssvc.dll (pre-SP1)
03-Oct-2003 5.1.2600.1301 32,256 Msgsvc.dll (with SP1)
03-Oct-2003 5.1.2600.1301 119,808 Wkssvc.dll (with SP1)
they are actually as follows;
21-Oct-2003 5.1.2600.121 32,256 Msgsvc.dll (pre-SP1)
21-Oct-2003 5.1.2600.121 120,320 Wkssvc.dll (pre-SP1)
21-Oct-2003 5.1.2600.1309 32,256 Msgsvc.dll (with SP1)
21-Oct-2003 5.1.2600.1309 119,808 Wkssvc.dll (with SP1)
Now this is where things are getting screwed up. See, if you installed the MS03-043 patch prior to the fix to it (and remember, the fix didn't protect you against anything new, it simply removed a bug in Update which caused it to hang when installing), you'll have v5.1.2600.1301. All is well except MSSecure.xml says you've got the wrong version (but you don't.)
If, however, you installed it after October 29th, you'll have v5.1.2600.1309. Since the file sizes are identical between the two releases, it would appear that all that was changed was the version number.
The MSSecure.xml checks for post-October 29th file information, hence the error.
I previously made some incorrect statements;
1. There is no MS03-049 update package for Windows XP.
2. v5.1.2600.1301 wkssvc.dll shipped with MS03-043 pre-October 29th version, not XP SP1.
3. There's no flaw in the logic, nor is there a flaw in the way people have their systems.
4. I said the v5.1.2600.1309 version could be applied to XP SP2, it will be included in XP SP2 (although the INF will allow it to be installed on that SP version).
There is nothing on Windows Update for XP systems related to MS03-049 because it was shipped as MS03-043. MS03-049 provides new protection for other OS', but not XP, hence no patch.
I'm not sure how the various patch management products are going to deal with this one, should be interesting.
Russ - NTBugtraq Editor
---- NTBugtraq subscribers save $103.00 off the TICSA exam by using promo code "NT1003" when registering to take the TICSA exam at www.2test.com. Prove to your employer and peers that you have the knowledge and abilities to be an active stakeholder in today's enterprise security. Become TICSA certified www.trusecure.com/ticsa. Promotion expires 12/31/03 and cannot be used in combination with other offers. ----