RE: Another Low Blow From Microsoft: MBSA Failure!

From: Frank Knobbe (frank_at_knobbe.us)
Date: 02/11/04

  • Next message: Bipin Gautam.: "Re: Decompression Bombs" 
    To: Joe DeMarco <demarcoj@comcast.net>
Date: Tue, 10 Feb 2004 19:24:32 -0600

    On Tue, 2004-02-10 at 13:26, Joe DeMarco wrote:
    > Maybe it's just me but, I wouldn't consider a patch successfully
    > applied
    > until the machine is rebooted. Registry changes usually require this
    > process.

    I would go even further and question the reliability of just checking
    for the presence of Registry keys that claim a patch has been installed.
    Anything short of verifying the MD5 hash of a given DLL, driver file or
    executable just makes assumptions about a patched version being present
    or not. Those assumptions tend you come back to haunt you, and I believe
    there are enough people that had exactly that happening. I remember some
    patch (a year or so ago) that overwrote a previously patched DLL with a
    vulnerable version. Anything checking Registry keys, like Windows Update
    I believe, made the assumption that the system was patched when in fact
    the defective DLL rendered the system vulnerable.

    Any tool, Windows Update, MBSA, or 3rd party should check the actual
    files in question, not just logfiles or Registry keys (or anything that
    makes historical statements rather than actual statements).

    Regards,
    Frank

  • Next message: Bipin Gautam.: "Re: Decompression Bombs"

    Relevant Pages

    • MD5s of Unofficial patches and other mistakes
      ... Now that the official patch is out, ... I got too paranoid, for good reason. ... When I saw the source code, which works patching a DLL at run-time based ... I'm offered an MD5 from the SAME distributing site that serves the patch installer. ...
      (Bugtraq)
    • [NT] Multiple Weaknesses in St Bernards UpdateEXPERT
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... UpdateEXPERT v5.1 supports Windows NT, 2000 and XP, ... thinking the patch has not been applied. ... Relying on registry keys for performing patch inventory is not reliable. ...
      (Securiteam)
    • Re: WMF Windows security flaw - change your browser
      ... They are recommending the following "unofficial" patch, which has been tested and approved by a number of security organizations ... >> obsolete DLL? ... > Disabling the "shimgvw" DLL may solve the problem, but also removes some current Windows functionality. ... > really do need a fix from Microsoft to put this thing to bed. ...
      (rec.audio.pro)
    • RE: Patch Package Error
      ... Note: 904­ mean the registry keys begin with 904, ... Microsoft Security Announcement: Have you installed the patch for Microsoft ...
      (microsoft.public.office.setup)
    • Re: v5.Windows update error 0x800A01A
      ... I've loaded the XML patch referenced in another thread. ... solve the problem, I manually registered thost DLLs, just to be sure. ... registering/reregistering the DLL has no efffect that I can see. ... removing or renaming the DLL to force another download doesn't solve the ...
      (microsoft.public.windowsupdate)