Windows 2000 SP3 (security) problems
From: Andreas Marx (amarx@gega-it.de)Date: 08/19/02
- Previous message: Benjamin D. Goldman: "RE: VPN between Windows 98 and Win2k"
- Next in thread: Micheal Patterson: "Re: Windows 2000 SP3 (security) problems"
- Reply: Micheal Patterson: "Re: Windows 2000 SP3 (security) problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Andreas Marx" <amarx@gega-it.de> To: focus-ms@securityfocus.com Date: Mon, 19 Aug 2002 20:00:34 +0200
Hello,
if you have Windows 2000 installed and applied SP3 already (what I
strongly recommend after you've finished your internal tests), be sure to
check again, if all required security updates/patches and hotfixes are
installed. It seems to be that Microsoft has "forgot" some of the older
and new ones. If you're currently check the "Hotfix & Security Bulletin
Service" (formerly "... Search"), you'll find a list with three patches -
one that MS has forgot to include in SP3 (MS01-022, April 2001), another
one (MS02-008, see my posting below) and a newly discovered problem
(MS02-042, released today).
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/securit
y/current.asp?productid=5&servicepackid=3&submit1=go&isie=yes
Attached a few more info's from a letter I've sent to MS according a few
problems I've found. I got the response that they will check this (that
it's likely a mistake), but did not got any further comments from them
anymore. Here's the original text (written a few days ago):
--- start ---
Hello,
I've found a few problems with your Security Updates and W2k SP3. The
first one: If I got to "HotFix & Security Bulletin Search", select Windows
2000 and then SP3 and click on Go, one update is displayed (MS02-008 -
last updated in May 30, 2002):
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/securit
y/current.asp?productid=5&servicepackid=3&submit1=go&isie=yes
However, on my computer I cannot install this update (maybe because I'm
using IE 6+additional patches?). Do I really need this update or is this a
mistake?
I also saw that SP3 did not remove one past-SP2 hotfix - the one for
MS02-024 (DebPloit problem, Q320206, dated May 22, 2002). Therefore, I
think, the fix is not included in SP3. I've just updated a Win2k Gold
machine to SP3 and after this, I could apply this patch. OK, the name of
the patch is Q320206_W2K_SP4_X86_DE.exe - therefore, it looks like that
it's not included in SP3, but is scheduled for SP4? However, why is this
patch not listed in the "HotFix&Security Bulletin Search" for Win2k SP3?
And the third problem: It looks like that MS02-029 (Q318138, dated June
12, 2002; last updated July 2, 2002) is included in SP3, but only in an
older version (1.2?). After installation of SP3 we saw the same problems
with VPN connections than the one the updated patch (version 2.0) should
fix. Is the most current patch really included in SP3 or an older version?
If it's an oler version, why it's not listed in the "HotFix&Security
Bulletin Search" section for Win2kSP3 to customers can download the newer
version?
Thanks,
Andreas
--- end ---
Note: It looks like that MS has included really a lot of security-related
fixes in SP3. For example, I saw already a few Bugtraq postings indicating
this and I saw that nearly all problems I've reported to them last year
(2001) and this year were fixed with it.
Even if I'd call some of them really critical (run of choosen code, but
not a buffer overflow), MS refused to create an own Security Bulletin for
them. Windows XP is still not patched, btw, they want to do this with SP1
and so I don't want to publish any information (details) about these bugs
or example code yet. Windows ME won't be patched at all (maybe because
there is a work-around).
However, the "Black Hats" already seems to know about the problems - at
least three viruses are using such code at the moment to spread faster
(NOT by e-mail, but using other ways).
cheers,
Andreas
-- Andreas Marx <amarx@gega-it.de>, http://www.av-test.org GEGA IT-Solutions GbR, Klewitzstr. 7, 39112 Magdeburg, Germany Phone: +49 (0)391 6075466, Fax: +49 (0)391 6075469
- Previous message: Benjamin D. Goldman: "RE: VPN between Windows 98 and Win2k"
- Next in thread: Micheal Patterson: "Re: Windows 2000 SP3 (security) problems"
- Reply: Micheal Patterson: "Re: Windows 2000 SP3 (security) problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
