Re: Post SP 6a SRP

From: Eric (
Date: 10/24/01

Message-Id: <>
Date: Tue, 23 Oct 2001 18:29:58 -0700
To: "Ingersoll, Jared" <>,
From: Eric <>
Subject: Re: Post SP 6a SRP

read the bottom of this page:

Additional Information

The fixes for the following vulnerabilities affecting Windows NT 4.0
systems are not included in the SRP. Administrators should read the
associated security bulletin to determine if these patches should be applied:

Core OS
MS01-022 (Q296441) - WebDAV Service Provider Can Allow Scripts to
Levy Requests as User

Front Page Server Extensions
MS01-035 (Q300477) - FrontPage Server Extension Sub-Component
Contains Unchecked Buffer

Java Virtual Machine
MS00-081 (Q277014) - New Variant of VM File Reading Vulnerability

Which includes patches for:

MS99-031 : Virtual Machine Sandbox Vulnerability
MS99-045 : Virtual Machine Verifier Vulnerability
MS00-011 : VM File Reading Vulnerability
MS00-059 : Java VM Applet Vulnerability

The following fixes are not included in the SRP because they require=
administrative action rather than a software change. Administrators should
ensure that in addition to applying this patch, they also have taken the=
administrative action discussed in the following bulletins:

Core OS
MS98-001 (Q169556) - Disabling Creation of Local Groups on a Domain
by Non-Administrative Users
MS99-036 (Q155197) - Windows NT 4.0 Does Not Delete Unattended
Installation File
MS99-041 (Q242294) - RASMAN Security Descriptor Vulnerability

Internet Information Server
MS98-004 (Q184375) - Unauthorized ODBC Data Access with RDS and IIS
MS99-013 (Q232449) - File Viewers Vulnerability
MS99-025 (Q184375) - Unauthorized Access to IIS Servers through ODBC
Data Access with RDS

Front Page Server Extensions
MS00-025 (Q259799) - Link View Server-Side Component Vulnerability
MS00-028 (Q260267) - Server-Side Image Map Components Vulnerability

At 01:08 PM 10/22/2001 -0400, Ingersoll, Jared wrote:
>Does anyone have information on which patches are not included in the Post
>SP6a Security Roll-up package?
>Jared Ingersoll
>Information Systems Specialist
>Case Shiller Weiss, Inc.
>1698 Massachusetts Avenue
>Cambridge, MA 02138
>617.354.1400 x237

Relevant Pages

  • SecurityFocus Microsoft Newsletter #142
    ... MICROSOFT VULNERABILITY SUMMARY ... Mollensoft Enceladus Server Suite Clear Text Password Storage... ... FakeBO Syslog Format String Vulnerability ... Methodus 3 Web Server File Disclosure Vulnerability ...
  • SecurityFocus Microsoft Newsletter #139
    ... OFF any Windows 2000 Managed Dedicated Hosting Solution from Interland. ... Sun ONE Application Server Plaintext Password Vulnerability ... Batalla Naval Remote Buffer Overflow Vulnerability ...
  • SecurityFocus Microsoft Newsletter #140
    ... Cafelog b2 Remote File Include Vulnerability ... Webfroot Shoutbox Remote Command Execution Vulnerability ... Pablo Software Solutions Baby POP3 Server Multiple Connection... ... Microsoft Windows XP Nested Directory Denial of Service... ...
  • SecurityFocus Microsoft Newsletter # 150
    ... - automatically set positive security policies for real-time protection, ... MICROSOFT VULNERABILITY SUMMARY ... Meteor FTP Server USER Memory Corruption Vulnerability ... MDaemon SMTP Server Null Password Authentication Vulnerabili... ...
  • SecurityFocus Microsoft Newsletter #152
    ... MICROSOFT VULNERABILITY SUMMARY ... Real Networks Helix Universal Server Remote Buffer Overflow ... ... NEW PRODUCTS FOR MICROSOFT PLATFORMS ...