Re: Microsoft Security Bulletin MS03-049 - Installation problems?
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: Thu, 13 Nov 2003 12:09:08 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Makoto Shiotsuki made a good catch and let me know about it. Seems that the pre-October 29th version of MS03-043 had one more problem that never got a mention anywhere (including Microsoft's revision statement.)
The pre-October 29th version of MS03-043 didn't update the dllcache directory version of wkssvc.dll on Windows XP SP1 systems (not sure about other OS'.) So although it did install the updated files in the system32 directory, only msgsvc.dll was updated in dllcache.
This is the first time I'm aware of that Microsoft screwed up the list of files which Windows File Protection keeps an eye over. This must have happened otherwise WFP would have replaced the file in the system32 directory with the older version of wkssvc.dll right away (assuming WFP is enabled.) Clearly WFP seems to not care that the two files aren't the same, and that the updated version in the system32 directory is just fine, despite it not being the same as the one in the dllcache directory. Looks like WFP doesn't know how to check the consistency of the dllcache directory versions of files.
This was fixed in the re-release of MS03-043 on October 29th, but since nobody needs to apply the updated version of the patch, according to Microsoft, and Windows Update doesn't re-offer it...there's a lot of people out there with a wrong version of wkssvc.dll in their dllcache directory. If for some reason the system32 copy of the wkssvc.dll file is altered, I'd be curious what WFP is going to do. It'll first copy the version from the dllcache, but since that version isn't correct, its either going to loop and do it over and over, or prompt for a copy from another source. I suspect it will loop, but I haven't tested this.
I also haven't tested whether running the updated version of MS03-043 on a machine which already has it is going to actually run, I'd expect the patch installer to say its already applied (based on the presence of the registry key only) and abort. Likely you'll have to remove the 828035 registry key first, then run the patch again, to get the dllcache updated. Simply copying the updated file into the dllcache may work also, since WFP believes that version to be the correct one, but again I haven't tried this either.
Let me know your test results and I'll post the outcome when I have it.
Bad Microsoft, Bad. Firstly, the 2.0 revision statement in MS03-043 should have mentioned all of the changes, not simply a reference to the update.exe issue. I can appreciate the embarrassment of having to tell people to re-apply a botched patch, and how that might not be necessary to simply fix the update.exe problem, but these other two issues (changing the version of the files, and fixing the WFP list and dllcache copy) are clearly good reason to re-apply. This definitely should have been called out so people could avoid the problems with their patch solutions, and, get WFP fixed up.
If the revised version of the patch checked everything, and not just the registry key, it could determine those that installed the pre-October 29th version itself and re-apply where appropriate. Given the way its working, that's not happening, and people seem to have to take unorthodox actions themselves (or rely on their patch management application to do it for them.) Microsoft, this isn't helping.
Russ - NTBugtraq Editor
---- NTBugtraq subscribers save $103.00 off the TICSA exam by using promo code "NT1003" when registering to take the TICSA exam at www.2test.com. Prove to your employer and peers that you have the knowledge and abilities to be an active stakeholder in today's enterprise security. Become TICSA certified www.trusecure.com/ticsa. Promotion expires 12/31/03 and cannot be used in combination with other offers. ----