RE: Hotfixes overwritten?
From: Darren W. MacDonald (darrydoo@aci.on.ca)Date: 05/18/02
- Previous message: Tod Beardsley: "Re: Hotfixes overwritten?"
- In reply to: Greene, Michael: "RE: Hotfixes overwritten?"
- Next in thread: Dennis M. Depp: "RE: Hotfixes overwritten?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Darren W. MacDonald" <darrydoo@aci.on.ca> To: "'Greene, Michael'" <MGreene@lrs.com>, "'Dennis M. Depp'" <dwd@ornl.gov> Date: Fri, 17 May 2002 21:24:44 -0400
All:
Michael, your statement, "...Windows should prompt for a service pack
installation point. ...", directly conflicts with my experience, and
what's documented in the quoted KB article -- service packs are locally
cached, and fully known to the OS, so no prompting for location should
occur.
As to why things are done differently for hotfixes, I believe the short
answer would be "time". The QFE group (Quick Fix Engineering) works to
create hotfixes quickly, and because of this time limitation, certain
shortcuts are taken (like regression testing, as documented for each and
every hotfix).
Since hotfixes are intended to fix specific problems, and are not really
meant for use by the masses, I believe it was a conscious decision by M$
to not have the functionality. Their response would likely be "wait for
the next service pack, give us a chance to test this puppy". Of course,
now that security hotfixes are more important to the company, that
policy may change -- at least for said security hotfixes. IMHO, if M$
used MSI-like technology to package and deliver hotfixes, then there
would be no need to re-install them; the OS could self-heal if files
etc. were replaced.
For us poor slobs still supporting NT4 infrastructures, we can't even
slipstream, nor does the OS cache the SP locally; we have to apply
*both* SPs and hotfixes. In summary: make the change, apply SP6a, apply
post-SP6a security rollup (53 hotfixes in one package), apply *563* (!)
hotfixes, run QCHAIN.EXE, and reboot. Or forego QCHAIN.EXE, and reboot
565 times <sigh...> Consider yourselves lucky.
Michael, you stated elsewhere that HfNetChk and MBSA don't adequately
verify the existence of these hotfixes. Can you provide some specific
examples of hotfixes that were no longer properly installed, but either
of these tools said that they were? I agree that Windows Update doesn't
adequately check, but both HfNetChk and MBSA have access to full file
version and patch-related registry information via the XML file. I have
yet to see these two tools fail -- I have seen people misinterpret the
results, though.
Cheers
Darren W. MacDonald
-----Original Message-----
From: Greene, Michael [mailto:MGreene@lrs.com]
Sent: May 17, 2002 12:01 PM
To: 'Dennis M. Depp'
Cc: focus-ms@securityfocus.com
Subject: RE: Hotfixes overwritten?
Thank you Dennis. I should correct myself. The service pack files are
not
overwritten, Windows should prompt for a service pack installation
point.
However, this article specifically states that hotfixes are overwritten
without any notice to the user or event log, and there is no way to tell
after the fact.
Does anyone else find this disturbing? Is there a solution?
Not Necessary to Reinstall Windows 2000 Service Packs After System State
Changes (Q274215)
------------------------------------------------------------------------
---- ---- The information in this article applies to:Microsoft Windows versions 2000 SP1 , 2000 SP2 , Professional Microsoft Windows versions 2000 SP1 , 2000 SP2 , Server Microsoft Windows versions 2000 SP1 , 2000 SP2 , Advanced Server
------------------------------------------------------------------------ ---- ----
SUMMARY After you change the system state by adding or changing additional Windows 2000 components, you do not need to reapply Windows 2000 service packs.
MORE INFORMATION When you install a Windows 2000 service pack, the Update.exe tool performs the following actions:
The Layout.inf file is updated with an additional source for Windows 2000 service pack files so when you add or change additional components the Layout.inf file points to the correct source. The source location is stored in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Servi cePa ckSourcePath The source could be a network share of the Windows 2000 service pack, the Windows 2000 service pack CD-ROM, or if you install the Windows 2000 service pack by using the Express Installation from the Web, the source is set to the %systemroot%\servicepackfiles folder.
Windows 2000 service packs also update the Drvindex.inf file to point to an additional .cab file for drivers that are updated in the Windows 2000 service pack. The name of this .cab file is Spn.cab (where n is the service pack version number) and this file is installed to the %systemroot%\driver cache\i386 folder.
A new Spn.cat file (where n is the service pack version number) is also installed for the updated files. This replaces any previously installed Spn.cat file that was installed with a Windows 2000 hotfix. The Spn.cat file is installed to the %systemroot%\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} folder.
Hotfixes do not update the Layout.inf file. Therefore, if you install a hotfix and system state changes occur, you may need to reapply the hotfix.
Windows 2000 service packs also perform version checking on files so that post Windows 2000 SPn hotfixes (where n is the service pack version number) remain in place and do not need to be reapplied after installation of the service pack. For example, hotfixes prior to Windows 2000 Service Pack (SP1) are updated to the service pack files.
-----Original Message----- From: Dennis M. Depp [mailto:dwd@ornl.gov] Sent: Friday, May 17, 2002 10:11 AM To: Greene, Michael; focus-ms@securityfocus.com Subject: RE: Hotfixes overwritten?
Please correct me if I am wrong. My understanding is with Windows 2000 the process of having to reinstall a service pack or hotfix after installing a new service was eliminated. I don't understand the technical features of this process, but when I install a new service, are not the necessary files already supposed to be implace? Have you checked to verify that not all the files for the service were updated? If so, can you give a more specific senario?
Dennis
-----Original Message----- From: Greene, Michael [mailto:MGreene@lrs.com] Sent: Friday, May 17, 2002 10:06 AM To: focus-ms@securityfocus.com Subject: Hotfixes overwritten?
Microsoft has published information about slip-streaming service packs into CD images. This is normally done by expanding the service pack files and overwriting the respective contents of the i386 directory. The intentions here are to prevent changed files from being overwritten on the hard drive when the operating system requests the CD. For instance, if an administrator needed to add a Windows 2000 component such as DNS, the CD would now be up to date so that the service pack would not have to be reapplied after installation. It is a well-known concept (or it should be) that if you make changes to the operating system files without using a slip-streamed CD, you should reapply service packs to prevent known issues.
So what about security hotfixes? There is apparently no way to take this kind of action when applying the Post Service Pack 2 Security Roll-up. Nor is there any way to slipstream the "critical updates" Microsoft so frequently releases. So, when a new service is installed from the CD, are the security hotfixes overwritten?
There IS an article on the Microsoft web site that explains how to chain the hotfixes to the installation point so they are applied after installation. Please, don't confuse this with slip-streaming the files directly into the cd.
Neither hfnetchk, MBSA, or Windows Update do a full check of the files or registry keys changed by hotfixes, so the reports of these scanners are insufficient to report when a server has become vulnerable because of an overwritten hotfix. So the only logical conclusion is that anytime a new service is installed, the only way to insure the security of the data on the machine (speaking strictly in terms of operating system flaws) is to uninstall every hotfix and reapply them. Granted, this should not be an all day task using Qchain to apply regression tested hotfixes from a network installation point.
But my question is, why on earth would Microsoft include the ability to slipstream service packs but not security hotfixes?
____________________________ Michael Greene Levi, Ray and Shoup, Inc. IT Solutions - Security Team (217)793-3800 x1253
- Previous message: Tod Beardsley: "Re: Hotfixes overwritten?"
- In reply to: Greene, Michael: "RE: Hotfixes overwritten?"
- Next in thread: Dennis M. Depp: "RE: Hotfixes overwritten?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
