RE: Post-Windows NT 4.0 Service Pack 6a Security Rollup

From: McHugh, Sean (SMchugh@grey.com)
Date: 07/30/01 

Message-ID: <0962DAF97B76D511BB3C00508B6F5F4AA6BBB7@xch2s.grey.com>
From: "McHugh, Sean" <SMchugh@grey.com>
To: focus-ms@securityfocus.com
Subject: RE: Post-Windows NT 4.0 Service Pack 6a Security Rollup
Date: Mon, 30 Jul 2001 15:23:55 -0400

Some of those that you list are either N/A (ie. the method of remediation
is manual; there is no *patch* per se) or are listed under different Q
article nomenclature. For instance the recent ISAPI
extension buffer overflow patch is listed under Windows NT 4.0 section in
the SPA article. Perhaps,
M$ can make some more money by charging a premium for bulletins and patches
that actually correspond in name and article id. This is at the heart of
the admin debate IMHO. When SP6a was 8 months old,
patching a system was a nightmare for those who were only then setting up
webservers. Technet didn't
have the handy search tool to find all post SP6a patches. But some of the
others you mention are completely valid. thanks.

-----Original Message-----
From: Rubens Altimari [mailto:rubens@altimari.com.br]
Sent: Sunday, July 29, 2001 1:26 PM
To: focus-ms@securityfocus.com
Subject: Re: Post-Windows NT 4.0 Service Pack 6a Security Rollup

> http://support.microsoft.com/support/kb/articles/q299/4/44.asp?ID=299444
> It would seem its a summary of all the hot fixes and patches since SP6a.

    Just a small note: not *all* hot fixes: there are a number of them that
are still needed after applying q299444. I just keep track of NT4/IIS4
patches, but if anyone is interested, according to my own list, they are:

for NT4:
http://www.microsoft.com/technet/security/bulletin/ms99-041.asp
http://www.microsoft.com/technet/security/bulletin/MS01-022.asp
http://www.microsoft.com/technet/security/bulletin/MS01-029.asp

for IIS4:
http://www.microsoft.com/technet/security/bulletin/fq00-025.asp
http://www.microsoft.com/technet/security/bulletin/fq00-028.asp
http://www.microsoft.com/technet/security/bulletin/ms01-033.asp
http://www.microsoft.com/technet/security/bulletin/ms01-035.asp

    Some of them are pretty old, but I haven't found any clear statement
that they are not needed anymore.

Rubens Altimari

Relevant Pages

  • Re: Patch confusion
    ... Service Pack are rollup of everything released prior to it. ... customers want point-fixes for issues and infrequent Service Pack rollups. ... Others only want cumulative security fixes augmented by infrequent Service ... happy, patches are what you see, and nothing is compulsory. ...
    (microsoft.public.inetserver.iis)
  • [Full-Disclosure] RE: new internet explorer exploit (was new worm)
    ... >The known ingredient it uses is: ... XP service pack 2 Release candidate 1 patches this exploit. ... The code used by this worm to exploit it's users at least partly is (i ...
    (Full-Disclosure)
  • Re: Creating XP update cd
    ... updates since service pack 2 and burn them to a cd? ... You can even integrate those patches into your Windows XP ... How to use the Windows Update Catalog ... Creating an Integrated Installation ...
    (microsoft.public.windowsupdate)
  • Re: Microsoft Antispyware & NETBIOS Messenger
    ... When I reboot it is again AUTOMATIC. ... worse than a hole that you do see and thus monitor. ... You mention that you have all the patches which implies that you're using ... service pack two and it should be disabled automatically unless you, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: New Computer - Need Service Packs on CD
    ... Service Pack 1, and I can't get my internet connection to work ... You can download and save all updates for later use - including service ... You can even integrate those patches into your Windows XP ... How to use the Windows Update Catalog ...
    (microsoft.public.windowsxp.newusers)