-----BEGIN PGP SIGNED MESSAGE-----

I made mention of MS01-023 several times in my last post. I was
referring to MS01-026. This version corrects that.

Sorry for the confusion!

Cheers,
Russ

(Note: URLs may be wrapped to more than one line)

There was a thread over on SecurityFocus' Bugtraq mailing list about
this subject and I thought I would summarize it here since there have
been a couple of messages about it.

Bottom Line
===========
If you had MS01-026 applied prior to SP2 you should not be vulnerable
to the sadminD/IIS Worm (unless you have configuration problems). If
you didn't apply MS01-026, but have applied SP2, you are still
vulnerable to some IIS exploits and need to get additional patches,
see item 3b below.

Details
=======

1. There was a report that SP2 for W2K "broke" some of the fixes
addressed by MS01-026 (the IIS roll-up fix). The suggestion was that
applying SP2 would open up the machine to the sadminD/IIS worm again
(assuming the machine was running IIS).

http://www.securityfocus.com/archive/1/191377

2. Examination, of a box which had MS01-026 on it prior to SP2
installation, after SP2 installation showed that the MS01-026
binaries were intact. The registry entry for MS01-026 had been
removed, however, which would result in HFCheck giving erroneous
results (it would indicate that MS01-026 was still needed).

http://www.securityfocus.com/archive/1/191536

3. I offered up some suggestions, substantially as follows;

a) Security hotfixes for W2K are named according to what Service Pack
they are *expected* to be included in (there's a more sophisticated
explanation, but for all intents and purposes...) Ergo, the MS01-026
fix is named q293826_w2k_sp3_x86_en.exe, indicating that its expected
to be included in SP3 (and by extension, definitely not included in
SP2).

b)
http://www.microsoft.com/technet/security/current.asp?productID=17&ser
vicePackId=2 gives you a listing of all Security hotfixes that are
required post-W2K-SP2. Note how MS01-026 *is* listed there.

c) The HFCheck.wsf, from
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168 also
identifies what might need to be re-applied after a Service Pack
installation (but as the message referenced in #2 above indicates,
might give false information since it just checks the registry.)

Finally, for anyone who wonders why, after installing the latest
Service Pack, they'd then have to re-apply Security hotfixes that
were released prior to the Service Pack...the answer's pretty simple
and hopefully one that everyone appreciates.

Both Service Packs and Security hotfixes go through regression
testing prior to release. This is a fervent attempt, since NT 4.0 SP2
to avoid the problems associated with patches and compatibility. The
testing for Service Packs is more extensive than that for Security
fixes, largely due to the number of components that need to be tested
in a Service Pack. As a result, the date that Service Pack
distributions are frozen (meaning no new code can be added) comes
some time (usually 4-6 weeks, sometimes longer) prior to its release.
During that time Security fixes are created and made available to the
public since they're important, but not put into the frozen Service
Pack distribution because that would delay its (the SPs) release.

So always double-check, using one of the three methods mentioned
above, whether or not you need to re-apply a Security hotfix after a
Service Pack installation. There are almost always going to be at
least one or two.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBOy4T6BBh2Kw/l7p5AQE81AQAu2KkodIyoe9lPukWZkGIqRZKOgMQc2SM
FBht/pYhZBgrf0ahKveRrTpqNzOmoSrGDFBowVyl5in79/kW0mioUCzgamPz/Krr
VvhGWshQqM6gzIBu277HuK5R1chzguqGuVcoFMpxWZz1t7Uk28kFXJVwgOVmHpJT
meK4dJXFzPU=
=ZLk4
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]