-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This came across the intrusions@incidents list and I thought it might be appropriate for these lists. Sorry for the cross-post for those who receive multiples. This is just a forward, not a confirmation. - -----Quoted Message----- Date: Wed, 17 Apr 2002 16:51:48 -0400 From: jmcguireat_private To: intrusionsat_private Subject: ms02-018 IS dangerous after all OK, I, and apparently a few others, have been tracking this down all day and you may read about it other places shortly, but I believe there is a major problem with this patch and other "update" methods from our friends in Redmond. A server we host here got Nimda, but it was caught and cleaned by the virus scanner (nav corp). On Friday, as I posted here, I installed the hotfix rollup ms02-018 on it with apparently no ill effects. Monday morning we found that the worm had made its attempt. This afternoon I scanned the machine with MBSA. It reported a list of hotfixes missing from the machine. Most are ms02s, but ms00-079 and ms01-048 are missing too. There were several that it could not confirm had been installed given the network environment between the server and I. MS states that MBSA checks for the actually patched versions of the files using a newer version of HFNetchk. I believe them on this point and I say why in the next paragraph. I also believe that I have proven that ms02-018 and Windows Update uninstall (probably unintentionally) previously implemented hotfixes. I believe the tool because now that I have applied critical updates from windows update and ms02-018 in that order, the tool shows my 2000 pro machine up to date. In my previous post I mentioned that the tool reported ms02-018 turned up missing between my first scan and the scan after WU had run. It appears WU removed the rollup, but that the rollup goes back on fine after a "windows update" of the machine. Not so easy with my IIS4 server that is now missing several patches. My logic is this: If these were merely reporting errors and the Microsoft information I have gotten back so far is inaccurate the tool would not now report that a machine patched in a certain sequence is up to date. Therefore, the tool must be accurate, at least for win2k sp2 boxes, and many of us must have unsecured IIS boxes (the obvious retort "of course IIS isn't secure" from the Unix crowd aside). This also indicates that the tool is likely fairly accurate on the NT4 server. This job just keeps getting more and more interesting. I love a challenge ;-) Anyone seeing a jump in Nimda, code red, clone scans? __________________________________________ JOHN MCGUIRE CISSP, MCSE2k, MCSE+I, MCT 888.529.0401 jmcguireat_private Strictly Business www.sbcs.com Hush provide the worlds most secure, easy to use online applications - which solution is right for you? HushMail Secure Email http://www.hushmail.com/ Hush Business - security for your Business http://www.hush.com/ Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wmIEARECACIFAjy+JhobHHNlY3JldF9zaGFkb3dAaHVzaG1haWwuY29tAAoJEIe3FlKj 7NpuMx0AoKthdl3I7GRQxgi97awMkrhJgolgAJ9gR/c5lDvTe7PbcahCximSKaTwYQ== =7eUQ -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 15:52:11 PDT