Re: Conflicting info between the global Security Bulletin and some SPi Security Bulletin

"David F" <David-White@xxxxxxxxxxxxx> wrote in message
news:u2wGns9VHHA.4796@xxxxxxxxxxxxxxxxxxxxxxx
The global detailed Security Bulleting is given in:
http://www.microsoft.com/technet/security/current.aspx

I did find the following problems there.
I normally use Win 2K + SP4.
According the Security Bulletin for the release of SP4,
(http://www.microsoft.com/technet/security/prodtech/windows2000/w2ksp4.mspx)
it contains all new (new - with respect to SP3) patches in the range:
MS01-022 (4.18.2001) till MS03-030 (7.23.2003)
and of course also all prior patches from SP1 to SP3.

But when I looked in that detailed global list, I find for example that as
old
MS00--077 (10.13.2000 !) and many other older than MS03-030
should be applied to W2K/SP4. This doesn't make sense.


I do not see statement that ms00-077 applies to W2k Sp4
Where do you see this? In what you term the Global Sec Bulletin it
states this applies to W2k at Sp1 and Sp2, and if you read into it you
will see that the Sp2 part was added when the specific patch was
reissued to address a further, similar exploit. If you look at the KB
http://support.microsoft.com/?kbid=299796
you will see that the updated patch was first included in SP3


I found the exact same contradictions with regard to Win XP SP2.
In this case, I found even a worse situation, when patch # MS03-011
showing up in the detailed global list, which according to its date
and patch # should be included in the Security Bulletin list for
WXP/SP2 but it is not!. This list is given in:
http://www.microsoft.com/technet/security/prodtech/windowsXP/xpsp2.mspx


ms03-011 is something of a peculiar situation as it deals with the
MS distributed Java VM, which MS had to pull from availability
as part of a settlement with Sun. In fact, this was involved in the
reissue of XP Sp1 as XP Sp1a.
It is possible for even W2k3 to need this patch. It all depends on
the history of the machine. One could install an XP SP2 from an
XP Sp2 CD and not get the VM installed. Later, install of an older
download of some product might install the VM at a level before
3810, causing need for the patch at that point.
Read into the bulletin and you will see there is quite a bit that is
abnormal about this specific patch. Behind the scenes there is a
bit of legal history. One must take the history of a specific machine
into account to determine need, and just being at an OS level mentioned
in the bulletin does not mean one needs the patch (the VM might not be
present).


So I don't know what to make of it and how I can rely on that
detailed global list in terms of what to pickup from it and apply to
W2K/SP4
(and the same for WXP/SP2).


You seem to be going about this the hard way David.
You can either use the Microsoft Update site in Custom mode to
get a list of what a specific machine needs based on what is at
the moment installed; or one can download MBSA and after it
is installed open a cmd prompt at the install directory and issue
mbsacli /?
for syntax, and then use mbsacli with a switch
/n OS+IIS+SQL+Password
in order to only check patches


.

Relevant Pages