OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: reports of DCOM worm on the loose...Report #4

From: Geoff Clow (GClowSTBERNARD.COM)
Date: Tue Aug 12 2003 - 21:07:44 CDT

Russ [Russ.CooperRC.ON.CA] wrote:

> 3. Came across another very large installation that had used St. Bernard's Update Expert to deploy MS03-026. ... that installation discovered that MS03-026 had not deployed correctly

St. Bernard Software has attempted to corroborate this report, through our own extensive testing, through our Support records, and together with some list members who expressed an interest in the issue. Internally, we have identified one scenario that is related, as follows.

MS03-026 requires a reboot to complete its installation. UpdateEXPERT by default will initiate the reboot. However, the user can choose to override this default, in favor of an explicit reboot (e.g., manual or through UpdateEXPERT's Console) at a later time. The installation is incomplete until the reboot occurs, though UpdateEXPERT reports the patch is installed.

A preferred usage would be to leave the reboot automatic, and schedule installation of the patch for a later time, thereby scheduling both the installation and the reboot. This allows the reboot to occur at a convenient time while still assuring that it does in fact occur.

We have not yet confirmed instances of this scenario in the field, and it will be resolved by our enhanced validation coming out later this month as discussed by Dan Sackinger (http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0308&L=ntbugtraq&F=P&S=&P=1599). As a benefit to the community, we would welcome anyone having useful information to contact us. For our part, we will continue to aggressively investigate the scenarios that are reported, and will publish an account to NTBugTraq of any scenarios that successfully produce the results suggested. (Contacts will be kept confidential.)

You can provide information on this matter to me directly or by cc, and I will expedite its handling. Thanks to those who have already contributed to the dialogue.

Regards,

Geoff Clow
VP, Software Engineering
St. Bernard Software
GClowStBernard.com

> -----Original Message-----
> From: Russ [mailto:Russ.CooperRC.ON.CA]
> Sent: Tuesday, August 12, 2003 6:30 AM
> To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
> Subject: Re: reports of DCOM worm on the loose...Report #4
>
> Summary of information uncovered;
>
> 1. Windows 2000 SP2 can install MS03-026. Microsoft still isn't supporting this configuration and insist you should test it, but I have had numerous reports from people who have successfully installed it. Windows 2000 SP2 systems have been successfully compromised.
>
> 2. Windows Update and most 3rd party patch management applications will not offer you the ability to install MS03-026 on Windows 2000 SP2 systems. I have prepared an XML file for use with HFNetchk or MBSACli which will both check for, and recommend, MS03-026 on Windows 2000 SP2 systems.
>
> 3. Came across another very large installation that had used St. Bernard's Update Expert to deploy MS03-026. They deployed to Windows 2000 SP3 systems. After rechecking, that installation discovered that MS03-026 had not deployed correctly, and all of those systems needed to have the patch re-applied either manually, or via HFNetchk/MBSA.
>
<snip>

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to

http://www.trusecure.com/offer/s0100/

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo