Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Problems with MS05-013

from [John Groth] Network Security [Permanent Link]
Subject: Re: Problems with MS05-013
Date: Fri, 25 Feb 2005 11:47:07 -0500
Ian Hayes wrote: 
? As part of our patch management process, we have as part of our
login scripts a control that verifies that various patches and
hotfixes have been installed by checking file version numbers.


Not a bad plan, but if you were really paranoid maybe check the file
hashes against hashes from trusted binaries too.

I'm seeing a problem with MS05-013. According to the KB article for this
hotfix, the updated file provided for his fix is dhtmled.ocx, and
should be at version 6.1.0.9232. After installing the hotfix, I was
suprised to see that our hotfix checker still tagged my computer.
Lookint at the file properties, my version of dhtmled.ocx has a value
of 6.1.0.8244. Clicking on the actual File Version property shows a
very different 6.01.8244.


You've found your discrepancy, now it is time to further investigate.
Verify the file information that is displayed on Microsoft's KB article.
 Download the patch from Microsoft and execute "patch.exe /extract"
From there you can verify the actual file versions that are included in
the patch.  Sometimes Microsoft makes an error and the actual version
distributed in the patch binaries is different than what they say in
their bulletins and KB articles.  Usually someone, like me, will report
a discrepancy in the bulletin/KB information shortly after the patch
release.  Verify the file version information in the actual patch binary
you used to install on that machine.  If the patch is good and your
machine is not being updated properly - find out why the patch is
failing.  Is the update process getting killed or interrupted somehow?
Does that machine need a reboot after the patch?

While it's easy for me to change the expected version number in our
checker, I'd like to make sure that this hotfix is actually being
applied and the correct file is being installed.


Verify the file versions against what is in the patch binary along with
what Microsoft says.  You will then know the proper version number you
should have in your script.

If you are having trouble applying a security patch from Microsoft you
should be able to open up a free ticket with their product support
services group to resolve the issue.

cheers,
~johng

--
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an 
Anti-Virus product which automatically notifies the perceived sender of a 
message it believes is infected may well cause more harm than good. Someone who 
did not actually send you a virus may receive the notification and scramble 
their support staff to find an infection which never existed in the first 
place. Suggest such notifications be disabled by whomever is responsible for 
your AV, or at least that the idea is considered.
--

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Firescrolling [Firefox 1.0], Russ
Next by Date:  Re: Outlook exploit, Arthur Donkers
Previous by Thread:  Problems with MS05-013, Ian Hayes
Next by Thread:  Remote Windows Kernel Exploitation - Step Into the Ring 0, Marc Maiffret
Indexes:  [Date] [Thread] [Top] [All Lists]