Re: Hotfixes overwritten?
From: Tod Beardsley (todb@planb-security.net)Date: 05/20/02
- Previous message: Andrew Bailey: "Re: About ping request?"
- In reply to: Greene, Michael: "RE: Hotfixes overwritten?"
- Next in thread: Darren W. MacDonald: "RE: Hotfixes overwritten?"
- Next in thread: Dennis M. Depp: "RE: Hotfixes overwritten?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 20 May 2002 09:21:04 -0700 From: Tod Beardsley <todb@planb-security.net> To: focus-ms@securityfocus.com
Greene, Michael (Friday, May 17, 2002, 9:00 AM) wrote:
> Does anyone else find [hotfix overwrites] disturbing? Is there a
> solution?
Unfortunately, the solution is to reapply hotfixes after installing
anything that touches hotfixed files. You can check your machine with
HFNetCheck or What Changed? or somesuch, and base your hotfix reinstall
decision on those results, but today, there's no easy, automated way
to make sure hotfixes "stick" after a component install.
You could set up some security auditing to drop events in the log,
based on file writes, then run some kind of log scraper (like NetIQ)
to watch for changes. But you'd have to tag each file you cared about
on each machine (scriptable, but the initial labor would be
irritating). And, your events would end up potentially buried in your
security log, and not someplace sensible like your system log.
I wonder if you could mess with Windows File Protection to get the
results you're after? I haven't fooled around with WFP too much.
-- Tod Beardsley (GCIA, MCSE) "It's okay to yell fire in a crowded theater if the theater is actually on fire."
- Previous message: Andrew Bailey: "Re: About ping request?"
- In reply to: Greene, Michael: "RE: Hotfixes overwritten?"
- Next in thread: Darren W. MacDonald: "RE: Hotfixes overwritten?"
- Next in thread: Dennis M. Depp: "RE: Hotfixes overwritten?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
