Re: Microsoft Security Bulletin MS04-003 - perceived problems

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 01/15/04

  • Next message: Manskopf, Michael: "MDAC Patch Installation Mystery" 
    Date:         Thu, 15 Jan 2004 11:11:13 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    A number of people have sent messages in regarding this patch, the MDAC update.

    1. QFECHECK fails to find any record of it being applied.

    2. The switches are distinctly different for this patch than others.

    3. The patch does not add an entry to "Add/Remove Programs"

    4. Some Patch Management products don't indicate the need for this patch.

    5. Installing the patch doesn't create an entry in the Event Viewer.

    6. Srvinfo, from the resource kit, doesn't show this patch as being applied.

    The MDAC group use an installer tool called DAHOTFIX.EXE, have for a long time. You may remember discussions in the past about 8 different installer tools being used by various groups at Microsoft, and not all of them providing the same functionality, switches, etc... This is one of the 8, and its one of the least used.

    As such, questions 1, 3, 4, 5, and 6 are all (largely) answered by this fact. This installer tool doesn't create the things the tools mentioned in those questions look for.

    Question 2 is answered in the bulletin itself, go to the section titled "Security Update Information", and then expand the sub-section titled "Microsoft Data Access Components (all versions)." You'll find all of the details there about the special way the installer switches work.

    For question 4, I've not received any information about specific patch management products. Some may detect the need, some may not. If you use a patch management product, and it hasn't detected the need for this patch, drop me a line.

    Given the number of things this installer doesn't do that people expect out of a hotfix installation, it sure would seem to me that Microsoft should get rid of this one ASAP, since they say they are working on getting rid of most of the installers.

    Cheers,
    Russ - NTBugtraq Editor

    -----
    Editor's Note: The 43rd Most Powerful Person in Networking says...

    Marcus Ranum's new book "The Myth of Homeland Security" is now out and is available from http://www.amazon.com/ranum In this hard-hitting review of the homeland security business, Ranum shows us how the problem is vastly harder than it's being made to sound, and how special interests, *** covering, and bureaucracy are threatening to derail any chance of making progress.
    -----

  • Next message: Manskopf, Michael: "MDAC Patch Installation Mystery"
    • Quantcast