Hi fellows on list,
Please see mail posted on BUGTRAQ list.
I am personally feel confused.
Seeking opinion.
-vs
>To: "Russ" <Russ.CooperRC.ON.CA>
>Cc: "BUGTRAQ" <BUGTRAQsecurityfocus.com>
>Subject: NT Users SHOULD be CAREFULL when applying NT hotfixes "Multiple
>version problem inside NT Hotfixes"
>
>+--------------------------------------------.
>Multiple version problem inside NT Hotfixes .
>+----------------------------------------------`--------------------+
>Hotfixes Affected: MS00-057 MS00-078 MS00-090 .
>Type : Wrong Version .
>Date : 3-10-2001 .
>Product : Microsoft NT Server and workstation .
>Author: : NtWaK0 www.versalys.com .
>+-------------------------------------------------------------------+
>
>-----------------------------.
>NT Hotfixes Version Problem .
>-------------------------------`------------------------------------.
>MS00-078: Web Server Folder Traversal Vulnerability
>MS00-057: File Permission Canonicalization Vulnerability
>MS00-090: .ASX Buffer Overrun and .WMS Script
>-------------------.
>Problem Introduction.
>---------------------`----------------------------------------------.
>MS00-078: Web Server Folder Traversal Vulnerability
>Microsoft Internet Information Server 4.0
>Microsoft Internet Information Services 5.0
>
>Description of vulnerability can be found at
>http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
>
>Patch can be found at
>http://download.microsoft.com/download/winntsp/Patch/q269862/NT4ALPHA
>/EN-US/prmcan4i.exe
>
>MS00-057: File Permission Canonicalization Vulnerability
>http://www.microsoft.com/technet/security/bulletin/ms00-057.asp
>
>Patch can be found at
>http://download.microsoft.com/download/winntsp/Patch/q269862/NT4ALPHA
>/EN-US/prmcan4i.exe
>
>
>As you can see based on Microsoft description you should also run the
>MS00-057, both both fixes are goes together if you want.
>That what make both hotfixes affected by the problem.
>
>------------------------------------.
>Problem detail MS00-078 prmcan4i.exe .
>--------------------------------------`-----------------------------.
>The problem is in the files version included in these hotfixes.
>The hotfix prmcan4i.exe supposed to fix or change these files:
>asp.dll
>sspifilt.dll
>ssinc.dll
>w3svc.dll
>
>Now if we take a look at the file version one by one and compare that
>to the file contained in the hotfix MS00-060, this hotfixes supposed
>to be older then MS00-078 and the files inside supposed to be newer
>then the file contained in MS00-057 and MS00-060
>
>Files inside the prmcan4i.exe MS00-078 :
>---------------------------------------
>HF\NT\prmcan4i>filever asp.dll sspifilt.dll ssinc.dll
>--a-- W32i DLL ENU 4.2.749.1 shp 330,080 08-03-2000 asp.dll
>--a-- W32i DLL ENU 4.2.749.1 shp 25,360 08-03-2000 sspifilt.dll
>--a-- W32i DLL ENU 4.2.749.1 shp 38,256 08-03-2000 ssinc.dll
>--a-- W32i APP ENU 4.2.749.1 shp 228,496 08-03-2000 w3svc.dll
>
>Now let us compare these file with the file contained in the hotfix
>
>MS00-060 MS00-060: IIS Cross-Site Scripting Vulnerabilities
>Description of vulnerability can be found at
>http://www.microsoft.com/technet/security/bulletin/MS00-060.asp
>
>Files inside the crsscri.exe MS00-060 :
>--------------------------------------
>--a-- W32i DLL ENU 4.2.752.1 shp 330,080 10-03-2000 asp.dll
>--a-- W32i DLL ENU 4.2.752.1 shp 25,360 10-03-2000 sspifilt.dll
>--a-- W32i DLL ENU 4.2.752.1 shp 38,256 10-03-2000 ssinc.dll
>--a-- W32i APP ENU 4.2.752.1 shp 229,008 10-03-2000 w3svc.dll
>
>AS you can see 4.2.752.1 is > 4.2.749.1 this may lead to a security
>problem. Since the newwer hotfix it contain older dll's.
>Second users who are thinking that MS00-078 is newer then MS00-060
>they maybe wrong.
>
>-----------------------.
>Second Problem MS00-090 .
>-------------------------`------------------------------------------.
>MS00-090: .ASX Buffer Overrun and .WMS Script
>
>I did found a problem with this hotfix "wmqfe33955.exe".
>The file dxmasf.dll in the hotfix (wmqfe33955.exe) is version
>6.4.9.1110 but the file on the system is version 6.4.9.1109 and when
>you run this hotfix it wont update the file, GO figure.
>
>I have tried this on 3 different NT boxes and still it did not update
>the file. I did not get any error while applying the hotfix.
>Leaving an older file, this will leave your system open to the
>exploit mentioned on MS00-090.
>Description of vulnerability can be found at
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet
>/security/bulletin/ms00-090.asp
>
>
>NOTE: Microsoft consider this a technical issue, I do not agree. Since this
>affect the hotfixes and the hotfixes job is to fix from security problem
>most of the time.
>
>
>
>________________________________________________________________________
>The only secure computer is one that's unplugged, locked in a safe,
>and buried 20 feet under the ground in a secret location... and i'm
>not even too sure about that one"--Dennis Huges, FBI.
>____________________________________________________________.___________
>Live Well Do Good |
>Je Pense, Donc Je Suis \(|)/
>I know I ain't perfect, but i'm 99 point 9 percent :) --(")--
>RFCs are meant to be read and followed…:) /`\ NtWaK0
>________________________________________________________________________

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]