RE: ms02-018 IS dangerous after all
From: Orange, Simon J (simon.orange@eds.com)Date: 04/18/02
- Previous message: Aleksander P. Czarnowski: "RE: Any known issue with 10 April 2002 Cumulative Patch for IIS ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Orange, Simon J" <simon.orange@eds.com> To: "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com> Date: Thu, 18 Apr 2002 14:23:27 +0100
All
I have also seen this apparent problem. On investigation I discovered that
the version of the XML file that HFNetChk(And thus also MBSA) runs was
produced before the Hotfix MS02-018. As such the information regarding file
sizes, versions and date stamps is not what HFNetChk is finding. If this
information does not match the HFNetChk reports this as not being installed
or damaged.
Get the latest version of the XML file from the MS web site, location :-
http://download.microsoft.com/download/xml/security/1.0/nt5/en-us/mssecure.c
ab
This will then give a clean bill of health to any systems showing that
faults described below.
Minus any subsequent patches not installed.
Simon Orange
Systems Administrator Advanced
Central Management of Remote Systems
Electronic Data Systems - Defence
simon.orange@eds.com
____________________________________________
From: secret_shadow@hushmail.com [mailto:secret_shadow@hushmail.com]
Sent: 17 April 2002 23:05
To: focus-ms@securityfocus.com
Subject: Fwd: ms02-018 IS dangerous after all
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Saw this on another mailing list. Thought it might be worth passing on.
- -----Quoted Message-----
Date: Wed, 17 Apr 2002 16:51:48 -0400
From: jmcguire@sbcs.com
To: intrusions@incidents.org
Subject: ms02-018 IS dangerous after all
OK, I, and apparently a few others, have been tracking this down all day
and you may read about it other places shortly, but I believe there is a
major problem with this patch and other "update" methods from our friends
in Redmond.
A server we host here got Nimda, but it was caught and cleaned by the virus
scanner (nav corp).
On Friday, as I posted here, I installed the hotfix rollup ms02-018 on
it with apparently no ill effects.
Monday morning we found that the worm had made its attempt.
This afternoon I scanned the machine with MBSA. It reported a list of
hotfixes missing from the machine.
Most are ms02s, but ms00-079 and ms01-048 are missing too. There were
several that it could not confirm had been installed given the network
environment between the server and I.
MS states that MBSA checks for the actually patched versions of the files
using a newer version of HFNetchk. I believe them on this point and I say
why in the next paragraph. I also believe that I have proven that ms02-018
and Windows Update uninstall (probably unintentionally) previously
implemented hotfixes.
I believe the tool because now that I have applied critical updates from
windows update and ms02-018 in that order, the tool shows my 2000 pro
machine up to date. In my previous post I mentioned that the tool reported
ms02-018 turned up missing between my first scan and the scan after WU had
run.
It appears WU removed the rollup, but that the rollup goes back on fine
after a "windows update" of the machine.
Not so easy with my IIS4 server that is now missing several patches.
My logic is this: If these were merely reporting errors and the Microsoft
information I have gotten back so far is inaccurate the tool would not now
report that a machine patched in a certain sequence is up to date.
Therefore, the tool must be accurate, at least for win2k sp2 boxes, and
many of us must have unsecured IIS boxes (the obvious retort "of course IIS
isn't secure" from the Unix crowd aside). This also indicates that the tool
is likely fairly accurate on the NT4 server.
This job just keeps getting more and more interesting. I love a challenge
;-)
Anyone seeing a jump in Nimda, code red, clone scans?
__________________________________________
JOHN MCGUIRE CISSP, MCSE2k, MCSE+I, MCT
888.529.0401
jmcguire@sbcs.com
Strictly Business
www.sbcs.com
Hush provide the worlds most secure, easy to use online applications - which
solution is right for you?
HushMail Secure Email http://www.hushmail.com/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/
Looking for a good deal on a domain name?
http://www.hush.com/partners/offers.cgi?id=domainpeople
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com
wmIEARECACIFAjy+KxkbHHNlY3JldF9zaGFkb3dAaHVzaG1haWwuY29tAAoJEIe3FlKj
7Npu7h4An1X5SJ4X6WIGixjNk5jRTK6YwgnCAKCB4b+MmCxr0o/cgpbl3aA4QrK+Ww==
=fIch
-----END PGP SIGNATURE-----
- Previous message: Aleksander P. Czarnowski: "RE: Any known issue with 10 April 2002 Cumulative Patch for IIS ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
