Re: Microsoft Security Bulletin MS03-043/049 W2K anomollies

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 11/14/03

  • Next message: Brian Bergin: "Volume Shadow Copy on 2003 Server w/ SQL 2k SP3" 
    Date:         Thu, 13 Nov 2003 23:27:23 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    So Darryl J. Roberts sent me a note that got me looking, and I found something I find extremely strange.

    The Windows 2000 versions of MS03-043 and MS03-049 are strangely close;

    MS03-043
    02-Oct-2003 21:17 5.00.2195.6861 96,528 wkssvc.dll

    MS03-049
    02-Oct-2003 21:53 5.00.2195.6862 96,528 wkssvc.dll

    Same date?? 26 minutes between versions?? No file size difference?

    Remember, MS03-049 states;

    "Note:"..."However, the Windows 2000 security update that is released as part of this security bulletin contains updated files that were not part of the MS03-043 (828035) security bulletin. Customers have to apply this Windows 2000 security update even if they applied the Windows 2000 security updates for MS03-043 (828035)."

    ...files updated 26 minutes later??? Jeez, if someone had stopped MS03-043 production for a smoke we wouldn't have MS03-049??

    According to all I've been told about how the QFE process works, there's no way they were working on two separate versions of wkssvc.dll with final releases 26 minutes apart.

    Maybe they went back and modified the version of wkssvc.dll that is included in MS03-043 to reflect the updates MS03-049 provides, but on October 2nd?? I don't think so. Of course maybe someone in the QFE group simply has the wrong month on their computer...doh! Whatever it is, its pretty strange stuff. The checksums don't match, but there sure doesn't seem to be much difference between them other than the version.

    Yet Microsoft tells us we need MS03-049 for W2K even if we have MS03-043, so that can't be it. But then why would they be so similar??

    One has to wonder why they didn't simply re-release the full MS03-043 patch for W2K under MS03-049. I have to reason that MS03-049 was necessary because they felt an update to MS03-043 for W2K environments wouldn't be considered "correct" by some, maybe the media, maybe researchers, maybe people internal to MS. Given what MS03-049 has turned into, my take is that the fact there was a discovery of a serious problem in the Workstation Service, something not originally part of MS03-043, would have best been handled as an update to MS03-043 with documentation similar to a Security Bulletin.

    Unfortunately, the whole Security Bulletin process doesn't handle such a situation well. No doubt they feel its important to call out a new security issue with a bulletin, which is fine and good, but since they felt it Ok to point the XP patch link from MS03-049 to the revised MS03-043 patch, why not do the same for W2K? I'll agree, a new Security Bulletin (MS03-049) versus a Major Rev of MS03-043 catches more eyes. But that's the print, the bulletin itself. There was, IMO, no need to issue a new W2K patch for MS03-049, simply rev the MS03-043 W2K patch and point MS03-049 at it.

    Microsoft needs to rethink its approach, given the rpc 26/39 example, and now wkssvc.dll in 43/49, maybe going according to file sets, and not vulnerability, would make more sense. But then no doubt they would get assailed for trying to cover up important issues as just a revision, but do we really need the misunderstandings that are caused by new bulletins revising the same files old bulletins revised? I have long stressed the importance of MSYY-XXX numbers, we refer to them all of the time. If Microsoft changed, would we refer to them as MSYY-XXXa, b, c...?? OTOH, if all IE updates were simply another revision to one produced originally 2 years ago, I suppose it would get tough to make your point.

    Tell me what you think Microsoft should do to avoid these sorts of problems.

    Cheers,
    Russ - NTBugtraq Editor

    -----
    Marcus Ranum's new book "The Myth of Homeland Security" is now out and
    is available from http://www.amazon.com/ranum In this hard-hitting
    review of the homeland security business, Ranum shows us how the problem
    is vastly harder than it's being made to sound, and how special
    interests, *** covering, and bureaucracy are threatening to derail any
    chance of making progress.
    -----

  • Next message: Brian Bergin: "Volume Shadow Copy on 2003 Server w/ SQL 2k SP3"
    • Quantcast