Re: How the MS Critical Update Notification works...

From: Brian Hayward (haywardat_private)
Date: Thu Jan 28 1999 - 08:59:37 PST

Next message: HD Moore: "Re: How the MS Critical Update Notification works..."

Previous message: mnemonix: "Security Advisory for Internet Information Server 4 with Site"
Maybe in reply to: HD Moore: "How the MS Critical Update Notification works..."
Next in thread: HD Moore: "Re: How the MS Critical Update Notification works..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

So the weakest link here is the nameserver.  If someone is able to
compromise your nameserver.

I wonder what type of validation is done within the update utility.
Does it check to see if the resolved address is indeed a valid microsoft
IP address, or are there any other security checks that prevent
installation of updates from a non-microsoft site?

---
Brian Hayward  haywardat_private
http://www.slothmud.org/~hayward/mic_humor.html :Microsoft Humor

On Thu, 28 Jan 1999, HD Moore wrote:

#Here is an overview of how Windows 98 determines if an update is available
#via the Critical Update Notification utility.  All of the information here
#was obtained through packet dumps, so if anyone from M$ would like to
#correct this, feel free to do so.
#
#
#Step A
#----------
#
#Windows 98 will try to resolve the address 'windowsupdate.microsoft.com'
#after you either open an IE4 window, or about every 5 minutes.  If it can
#resolve that address you proceed to step B, otherwise it waits and tries
#again in a few minutes.
#
#Step B
#----------
#
#The update program will connect to 'windowsupdate.microsoft.com' on port 80
#and attempts to retrieve a CAB file called cucif.cab.  If this file is
#retrieved successfully, you go on to step C, otherwise it waits and tries
#again.
#
#( the full GET request sent )
#
#-- snip --
#GET /x86/W98/en/ie4/cucif.cab HTTP/1.1
#Accept: application/vnd.ms-excel, application/msword,
#application/vnd.ms-powerpoint, */*
#Accept-Language: en-us
#Accept-Encoding: gzip, deflate
#User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)
#Host: windowsupdate.microsoft.com
#Connection: Keep-Alive
#Cookie: MC1=ID=f738117cd92911d2933f0f08d79a2879
#-- unsnip --
#
#
#Step C
#----------
#
#Inside the cab is a file called 'cucif.cif', this file has a list of all
#critical updates for Windows 98.  The update program checks this list
#against its list of installed updates and if a new one is found it will
#present the user with a dialog.  If the user chooses to accept the update,
#they are sent to the windowsupdate site via IE4.
#
#(a cut from 'cucif.cif')
#
#-- snip --
#[oepatch]
#DisplayName=%oepatch%
#Version=4,72,3135,0
#Locale=%L_oepatch%
#_CriticalUpdateDependencies=mailnews
#GUID={AC84C7C0-21A1-11d2-AF1D-00C04FA35D02}
#Reboot=1
#URL1="OEPATSP1.EXE",2
#Size1=1097,1110
#Command1="oepatsp1.exe"
#Type1=1
#Switches1="/Q:A /R:N"
#Size=1103,24
#-- unsnip --
#
#
#Anyways, I hope someone found this useful.
#
#
#HD Moore
#http://nlog.ings.com
#http://www.trinux.org
#

Next message: HD Moore: "Re: How the MS Critical Update Notification works..."
Previous message: mnemonix: "Security Advisory for Internet Information Server 4 with Site"
Maybe in reply to: HD Moore: "How the MS Critical Update Notification works..."
Next in thread: HD Moore: "Re: How the MS Critical Update Notification works..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:03 PDT