RE: Hotfixes overwritten?

From: emann@questinc.org
Date: 05/17/02


From: emann@questinc.org
To: focus-ms@securityfocus.com
Date: Fri, 17 May 2002 13:30:22 -0400

What about the DLLCache and WFP? How does this play into the situation? It
checks versioning info of a file that attempts to be overwritten against the
DLLCache does it not? So would this not, in theory at least, prevent
hotfixes from being overwritten?

-----Original Message-----
From: Dennis M. Depp [mailto:dwd@ornl.gov]
Sent: Friday, May 17, 2002 11:11 AM
To: Greene, Michael; focus-ms@securityfocus.com
Subject: RE: Hotfixes overwritten?

Please correct me if I am wrong. My understanding is with Windows 2000 the
process of having to reinstall a service pack or hotfix after installing a
new service was eliminated. I don't understand the technical features of
this process, but when I install a new service, are not the necessary files
already supposed to be implace? Have you checked to verify that not all the
files for the service were updated? If so, can you give a more specific
senario?

Dennis

-----Original Message-----
From: Greene, Michael [mailto:MGreene@lrs.com]
Sent: Friday, May 17, 2002 10:06 AM
To: focus-ms@securityfocus.com
Subject: Hotfixes overwritten?

Microsoft has published information about slip-streaming service packs into
CD images. This is normally done by expanding the service pack files and
overwriting the respective contents of the i386 directory. The intentions
here are to prevent changed files from being overwritten on the hard drive
when the operating system requests the CD. For instance, if an
administrator needed to add a Windows 2000 component such as DNS, the CD
would now be up to date so that the service pack would not have to be
reapplied after installation. It is a well-known concept (or it should be)
that if you make changes to the operating system files without using a
slip-streamed CD, you should reapply service packs to prevent known issues.

So what about security hotfixes? There is apparently no way to take this
kind of action when applying the Post Service Pack 2 Security Roll-up. Nor
is there any way to slipstream the "critical updates" Microsoft so
frequently releases. So, when a new service is installed from the CD, are
the security hotfixes overwritten?

There IS an article on the Microsoft web site that explains how to chain the
hotfixes to the installation point so they are applied after installation.
Please, don't confuse this with slip-streaming the files directly into the
cd.

Neither hfnetchk, MBSA, or Windows Update do a full check of the files or
registry keys changed by hotfixes, so the reports of these scanners are
insufficient to report when a server has become vulnerable because of an
overwritten hotfix. So the only logical conclusion is that anytime a new
service is installed, the only way to insure the security of the data on the
machine (speaking strictly in terms of operating system flaws) is to
uninstall every hotfix and reapply them. Granted, this should not be an all
day task using Qchain to apply regression tested hotfixes from a network
installation point.

But my question is, why on earth would Microsoft include the ability to
slipstream service packs but not security hotfixes?

____________________________
Michael Greene
Levi, Ray and Shoup, Inc.
IT Solutions - Security Team
(217)793-3800 x1253