Re: Microsoft Security Bulletin MS03-049 - Installation problems?

• Previous message: 3APA3A: "Re: Alert: Microsoft Security Bulletin MS03-050 - Vulnerability in Microsoft Word and Microsoft Excel Could Allow Arbitrary Code to Run (831527)"
• Maybe in reply to: Russ: "Re: Microsoft Security Bulletin MS03-049 - Installation problems?"
• Next in thread: Steve Shockley: "Re: Microsoft Security Bulletin MS03-049 - Installation problems?"
• Reply: Steve Shockley: "Re: Microsoft Security Bulletin MS03-049 - Installation problems?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Wed, 12 Nov 2003 13:48:37 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Ok, so thanks goes to Jeff Horning for pointing out I'm a dope...;-]

I think I've got it right now.

MS03-049 does not include a patch for Windows XP. The download link for Windows XP on MS03-049 actually goes to the patch from MS03-043. Would've been good for MS to make that obvious.

As MS said, the patch from MS03-043 fixes the issues discussed in MS03-049 for Windows XP systems, which explains why the link from MS03-049 goes to the patch for MS03-043.

What isn't discussed anywhere is the fact that on October 29th, when Microsoft re-released the MS03-043 patch due to the problems with the Update.exe program hanging, they actually rev'd the files in that patch. So while the MS03-043 web page INCORRECTLY says that the file versions will be as follows;

02-Oct-2003 5.1.2600.120 32,256 Msgsvc.dll (pre-SP1)
02-Oct-2003 5.1.2600.120 120,320 Wkssvc.dll (pre-SP1)
03-Oct-2003 5.1.2600.1301 32,256 Msgsvc.dll (with SP1)
03-Oct-2003 5.1.2600.1301 119,808 Wkssvc.dll (with SP1)

they are actually as follows;

21-Oct-2003 5.1.2600.121 32,256 Msgsvc.dll (pre-SP1)
21-Oct-2003 5.1.2600.121 120,320 Wkssvc.dll (pre-SP1)
21-Oct-2003 5.1.2600.1309 32,256 Msgsvc.dll (with SP1)
21-Oct-2003 5.1.2600.1309 119,808 Wkssvc.dll (with SP1)

Now this is where things are getting screwed up. See, if you installed the MS03-043 patch prior to the fix to it (and remember, the fix didn't protect you against anything new, it simply removed a bug in Update which caused it to hang when installing), you'll have v5.1.2600.1301. All is well except MSSecure.xml says you've got the wrong version (but you don't.)

If, however, you installed it after October 29th, you'll have v5.1.2600.1309. Since the file sizes are identical between the two releases, it would appear that all that was changed was the version number.

The MSSecure.xml checks for post-October 29th file information, hence the error.

I previously made some incorrect statements;

1. There is no MS03-049 update package for Windows XP.

2. v5.1.2600.1301 wkssvc.dll shipped with MS03-043 pre-October 29th version, not XP SP1.

3. There's no flaw in the logic, nor is there a flaw in the way people have their systems.

4. I said the v5.1.2600.1309 version could be applied to XP SP2, it will be included in XP SP2 (although the INF will allow it to be installed on that SP version).

There is nothing on Windows Update for XP systems related to MS03-049 because it was shipped as MS03-043. MS03-049 provides new protection for other OS', but not XP, hence no patch.

I'm not sure how the various patch management products are going to deal with this one, should be interesting.

Cheers,
Russ - NTBugtraq Editor

----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.
----

• Previous message: 3APA3A: "Re: Alert: Microsoft Security Bulletin MS03-050 - Vulnerability in Microsoft Word and Microsoft Excel Could Allow Arbitrary Code to Run (831527)"
• Maybe in reply to: Russ: "Re: Microsoft Security Bulletin MS03-049 - Installation problems?"
• Next in thread: Steve Shockley: "Re: Microsoft Security Bulletin MS03-049 - Installation problems?"
• Reply: Steve Shockley: "Re: Microsoft Security Bulletin MS03-049 - Installation problems?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Virus in microsoft Patch ... "Windows must restart because the Remote Procedure Call ... your system and install the patch mentioned above. ... You can also configure Automatic Updates to automatically ... (microsoft.public.windowsxp.security_admin) Re: Is running a patch that changes something in Windows XP permis ... again for a Microsoft MVP: I have been trying to understand what the ... Windows XP versions before SP2 the system was recognised as SP2 RC1. ... > some things to quote here that tell us that the patch probably does not ... > change the value of TcpNumConnections in the registry and that there isn't ... (microsoft.public.windowsxp.general) Re: Daylight Savings Time 2007 and Windows 2000 Server... ... Joe Richards Microsoft MVP Windows Server Directory Services ... support older versions of their software as well as Microsoft. ... patch for this problem but to also thoroughly test it and develop the ... (microsoft.public.windows.server.active_directory) Re: Learning process ... a million users on Windows would be ... Most of the patches are fixes for problems in security and a lot of ... pile of games or the SQL blaster which required 2 patchs - patch 1, ... holes *aren't* patched almost immediately. ... (alt.comp.lang.learn.c-cpp) Using Windows Update "SteppingMode" to grab patches and see silen t install switches. ... > I have received numerous messages about these two Security ... > Bulletins. ... Having the patch only be available on Windows Update is highly annoying ... (NT-Bugtraq)