OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Maxim S. Shatskih (maximSTORAGECRAFT.COM)
Date: Tue Apr 23 2002 - 18:50:53 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

        The problem is with:

    - Windows 2000 Advanced Server SP2
    - Media Player patch WMSU47357.EXE size 942160 bytes. This is a well-known patch (discussed here on NTBugTraq around mid-Jan 2002),
    which adds a checkbox to the Media Player to allow the user to switch off the unique identification by the webservers, thus
    maintaining privacy. This patch+checkbox also affects IE, and thus closes a privacy hole in it.

    Now the problem. Running SFC.EXE (Windows File Protection command-line tool) on the machine with this patch does the following:

    1) rolls Media Player back to "no privacy checkbox" state. Version in Help/About box after the patch is 6.4.09.1116, after SFC -
    6.4.09.1109.

    - writes several complains to the System log about DLLs with incorrect digital signatures which are restored from the DLL cache,
    thus rolling back the patch. They are:
        - dxmasf.dll. Version stamp after patch is 6.4.9.1117 size 525312 bytes, SFC rolled it back to 6.4.9.1109 size 498448 bytes.
        - msdxm.ocx (this seems to be the Media Player core). Version stamp after patch is 6.4.9.1116 size 844048 bytes, SFC rolled it
    back to 6.4.9.1109 size 842000 bytes.
        - strmdll.dll. Version stamp after patch is 4.1.0.3925 size 251904 bytes, SFC rolled it back to 4.1.0.3917 size 242960 bytes.

    This is a stable pattern, can be repeated several times by - run SFC - install Media Player patch - reboot (the patch requires it) -
    run SFC again...

    No other binaries are rolled back by SFC - from IIS patches, for instance.

    Looks like the Media Player patch is broken.

    2) writes several complains on DLLs which are missing but necessary. They are:
        agt0401.dll
        agt0404.dll
        agt0405.dll
        agt0408.dll
        agt040d.dll
        agt040e.dll
        agt0411.dll
        agt0412.dll
        agt0415.dll
        agt041f.dll
        agt0804.dll
        ...and so on - about hundreds of all kinds of DLLs.
    This issue can be a separate one and not Media Player-related. I suspect SFC tries to check all w2k AS DLLs, even from the
    installation options which were not installed with the OS. For instance, it complained on busmouse.sys, which is for sure not
    installed since I have PS/2 mouse (driven by i8042prt.sys for sure). I also saw certxxx.dll or such there, and Certificate Server is
    not installed.

        regards,
        Max