Re: MS patch-scanner for Win-NT, 2K, IIS, SQL

From: Eric (ews@tellurian.net)
Date: 08/17/01


Message-Id: <5.1.0.14.0.20010816182433.034b3840@mail.tellurian.net>
Date: Thu, 16 Aug 2001 18:35:02 -0700
To: Jim Halfpenny <jim@openanswers.co.uk>, focus-ms@securityfocus.com, bugtraq@securityfocus.com
From: Eric <ews@tellurian.net>
Subject: Re: MS patch-scanner for Win-NT, 2K, IIS, SQL

for those that haven't read the 10 pages of FAQs with the tool... (what
techie reads FAQs anyway - it's more fun to execute and read later...)

I'd argue that for the MS01-015 situation below, the tool is doing a better
job than you've giving it credit for, and the fact that it found something
you didn't know about is reason enough to be running it.

MS01-015 contained TWO patches for IE
patch #1 was Q286045 for the cached content issue
patch #2 was Q286043 for the telnet issue (telnet when invoked via a
browser web page)

Unless you have BOTH patches applied, you are living in a false
reality. By running the tool, you can recongize the missing patch, and
apply it. Of course, if you don't think the telnet patch is relevant to
you, don't install it, but don't get upset at Microsoft for showing you a
missing patch - it's better they show you than not show you at all.

 From the FAQ KB:
http://support.microsoft.com/support/kb/articles/Q305/3/85.ASP
Q: Why are there two entries for some bulletins?
A: Some security bulletins have more than one patch. For example, MS01-015
references two separate Internet Explorer patches that should be installed,
one for the Telnet issue, and one for the file cache issue. The two patches
are differentiated in the Hfnetchk output with two separate Microsoft
Knowledge Base article numbers.

Regarding the updated version - it's right where the old one was.
(http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31154
) if you try and get it but keep getting the old version, then chances are
you've got a caching proxy server between you and the download center.

--eric
(sorry for my use of capitalizations, throw in a little color and font size
and you could call me Gibson :)

At 10:31 AM 8/16/2001 +0100, Jim Halfpenny wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi,
>There seem to be some bugs in this tool </feignsupprise>. For instance, if
>it the patch for advisory MS01-015 is not istalled, it says the patch ID
>is Q286043 - it should in fact be Q286045. Q286043 is the patch for the
>"Telnet Logging Vulnerability." This is potentially a serious problem - if
>admins rely on tools like this to ensure their systems are patched, they
>are going to be misled. I haven't checked if the other advisory/patch IDs
>match one another, but I for one don't trust it.
>
>Also, has anyone else noticed the message saying an updated version is
>available when you run this program? I haven't been able to find a updated
>verison of the binary or the xml file at any of the URLs I've been given.
>
>Cheers,
>Jim Halfpenny
>
>~/o And that's not to say that there's anything wrong with being a cow
>anyway ~/o
>
>- -----------------------
>
>http://www.theregister.co.uk/content/4/21019.html
>
>MS patch-scanner for Win-NT, 2K, IIS, SQL
>By Thomas C Greene in Washington
>Posted: 15/08/2001 at 06:07 GMT
>
>We've been eager to spill the beans about this for weeks, and even hinted
>at
>it in a previous story http://www.theregister.co.uk/content/4/20960.html.
>Today it's official; MS has released a command-line application, HFNetChk,
>which will scan all NT and/or 2K machines in a network from a single
>location and compare their currently-installed patches with the latest
>ones
>available, making it easy for admins to identify and patch vulnerable
>machines.
>
>The app was developed by MS Security Program Manager Eric Schultze. We
>gave
>it a whirl over the weekend and it performed as advertised. It covers
>Win-NT
>and 2K; IIS 4.0 and 5.0; SQL Server 7.0 and 2000 (including MS Data
>Engine);
>and Internet Explorer 5.01 and later.
>
>The tool accesses an XML file, which it downloads automatically, and which
>contains information such as the files in each patch and their file
>versions
>and checksums, registry keys that would be applied by the hotfix,
>information about which patches supersede others, related Microsoft
>Knowledge Base article numbers, and the like.
>
>If any of the file or registry details on a scanned machine don't match
>the
>information in the XML file, the associated security patch is identified
>as
>not installed and the results are displayed on the screen. The
>corresponding
>Knowledge Base article number is also displayed.
>
>Switches can be used specify groups of computers to scan, output format,
>engine speed, types of checks, the location of the XML file and so on,
>according to the complete instructions, which should be available from MS
>later today.
>
>The progie:
>http://download.microsoft.com/download/win2000platform/Utility/2.1/NT45/EN-U
>S/nshc.exe
>
>The instructions (note, going live some time Wednesday):
>http://support.microsoft.com/support/kb/articles/q303/2/15.asp
>
>
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.6 (SunOS)
>Comment: Made with pgp4pine 1.76
>
>iD8DBQE7e5LyCa7v1yGCVNgRAlDeAJ9Pxt2+UCSEahhoRtRSAxcCMM2zdgCgwSBN
>MUg5lydSlkpMwTMBMJAsbDc=
>=vCCA
>-----END PGP SIGNATURE-----



Relevant Pages

  • RE: MS patch-scanner for Win-NT, 2K, IIS, SQL
    ... MS patch-scanner for Win-NT, 2K, IIS, SQL ... seems so far that the patches it suggests are accurate. ... it the patch for advisory MS01-015 is not istalled, ... verison of the binary or the xml file at any of the URLs I've been given. ...
    (Focus-Microsoft)
  • Re: MS02-065
    ... The yellow X's simply says that the xml file used by MBSA ... cannot *confirm* that the specific patch is installed. ... patch will show up with a red X. SP1 installs a version of msxml3 that is ... Did I really apply the patches to my system? ...
    (microsoft.public.inetserver.iis.security)
  • Re: Function to find overlapping patches
    ... I know this is an old topic, but I have not been able to locate useful information referred to on the FAQs. ... Has anyone else found useful approaches for finding overlapping patches? ... >> of using is to determine if any the line segments of one patch cross ... >> the segments of another patch. ...
    (comp.soft-sys.matlab)
  • [SLE] Patch CD
    ... Is it possible to make a patch cd from the downloaded ... patches from YOU so that I can install them on another computer? ... Please read the FAQs: suse-linux-e-faq@suse.com ...
    (SuSE)
  • [NT] Microsoft Releases Two Security Tools
    ... Microsoft Releases Two Security Tools ... current security patch status. ... security patches that have been released with security bulletins. ... When HFNetChk is run, it downloads the XML file, parses ...
    (Securiteam)