Re: MS01-022 INCLUDED IN SP3?

From: user (user@domain.org)
Date: 08/20/02 

Date: Tue, 20 Aug 2002 14:53:08 -0400
From: user <user@domain.org>

Thanks for feedback Torgeir.

I applied SP3 to a test box with the patch already applied and did not
see a version update. I then tried a clean install and SP3 and found if
was still unpatched. I was going by what the MS01-022 bulletin last
said and by what the SP3 readmes didn't say. I then posted this and
also contacted MS. Received no reply from MS but did see an update to
their bulletin posted on August 12. Also, never got an update to the
bulletin via e-mail.

The changes found @:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-022.asp

<AXED>

Installation platforms:
       The patch can be installed on any of the following platforms:

            Windows 95
            Windows 98
            Windows 98 Second Edition
            Windows Me
            Windows NT 4.0 Workstation Service Pack 6a.
            Windows NT 4.0 Server and Server, Enterprise Edition,
Service Pack 6a.
            Windows NT 4.0 Server, Terminal Server Edition, Service Pack
6.
            Windows 2000 Professional, Server, Advanced Server or
Datacenter Server, when running the Gold version, Service Pack 1 or the
forthcoming Service Pack 2.

       Inclusion in future service packs:
>>> The fix for this issue will be included in Windows 2000 Service Pack 4 and Windows XP. In addition, any other products that ship the Microsoft Data Access Component Internet Publishing Provider will ship a corrected version in their next version or service pack.

<AXED>

Revisions:

            V1.0 (April 18, 2001): Bulletin Created.
>>> V1.1 (August 12, 2002): Bulletin updated to correct error and indicate that this fix will be provided in Windows 2000 Service Pack 4.

- - -

Torgeir Bakken wrote:
>
> user wrote:
>
> > Security Bulletin MS01-022 states the fix will be included in Windows
> > 2000 SP3. I looked at all SP3 documentation and have not found any
> > mention of the stated bulletin or Q296441. Has MS01-022 been addressed
> > in SP3 or not?
>
> From http://www.microsoft.com/technet/security/bulletin/ms01-022.asp
>
> <qoute>
> How do I know whether I need the patch?
>
> The easiest way is to check the version number of the Provider. Follow these
> steps to determine the version number:
>
> 1. From the Start menu, select Search, then For Files or Folders
> 2. In the Search For field, type msdaipp.dll and click the Search Now button
> 3. If msdaipp.dll is not present on your machine, you are not affected by the
> vulnerability and do not need the patch.
> 4. If msdaipp.dll is present on your machine, right-click on the file in the
> search window, then select Properties, then Version. Consult the table below to
> determine if you have a version with the vulnerability.
>
> Version Number Status
> 8.102.1403.0 Affected
> 8.103.2402.0 Affected
> 8.103.2519.0 Affected
> All other versions Unaffected
>
> </qoute>
>
> Win2k SP2: v8.103.2402.0
> Win2k SP3: v8.103.2402.0
>
> Conclusion: It is *not* included in Service Pack 3
>
> > Also, am I correct to assume that Windows 2000 Application Compatibility
> > Update v1.7 - March '01 was included in SP3?
>
> I don't know.

There was mention of some app compat updates but not specifically the
last ones posted.

>
> --
> torgeir