Fwd: ms02-018 IS dangerous after all

From: secret_shadowat_private
Date: Wed Apr 17 2002 - 14:43:48 PDT

  • Next message: Russell Fulton: "distributed ftp scan"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    This came across the intrusions@incidents list and I thought it might be appropriate for these lists. Sorry for the cross-post for those who receive multiples. This is just a forward, not a confirmation.
    
    - -----Quoted Message-----
    Date: Wed, 17 Apr 2002 16:51:48 -0400
    From: jmcguireat_private
    To: intrusionsat_private
    Subject: ms02-018 IS dangerous after all
    
    OK, I, and apparently a few others, have been tracking this down all day
    and you may read about it other places shortly, but I believe there is a
    major problem with this patch and other "update" methods from our friends
    in Redmond.
    
    A server we host here got Nimda, but it was caught and cleaned by the virus
    scanner (nav corp).
       On Friday, as I posted here, I installed the hotfix rollup ms02-018 on
       it with apparently no ill effects.
       Monday morning we found that the worm had made its attempt.
       This afternoon I scanned the machine with MBSA. It reported a list of
       hotfixes missing from the machine.
    
    Most are ms02s, but ms00-079 and ms01-048 are missing too. There were
    several that it could not confirm had been installed given the network
    environment between the server and I.
    
    MS states that MBSA checks for the actually patched versions of the files
    using a newer version of HFNetchk. I believe them on this point and I say
    why in the next paragraph. I also believe that I have proven that ms02-018
    and Windows Update uninstall (probably unintentionally) previously
    implemented hotfixes.
    
    I believe the tool because now that I have applied critical updates from
    windows update and ms02-018 in that order, the tool shows my 2000 pro
    machine up to date. In my previous post I mentioned that the tool reported
    ms02-018 turned up missing between my first scan and the scan after WU had
    run.
    
    It appears WU removed the rollup, but that the rollup goes back on fine
    after a "windows update" of the machine.
    
    Not so easy with my IIS4 server that is now missing several patches.
    
    My logic is this: If these were merely reporting errors and the Microsoft
    information I have gotten back so far is inaccurate the tool would not now
    report that a machine patched in a certain sequence is up to date.
    Therefore, the tool must be accurate, at least for win2k sp2 boxes, and
    many of us must have unsecured IIS boxes (the obvious retort "of course IIS
    isn't secure" from the Unix crowd aside). This also indicates that the tool
    is likely fairly accurate on the NT4 server.
    
    This job just keeps getting more and more interesting. I love a challenge
    ;-)
    
    Anyone seeing a jump in Nimda, code red, clone scans?
    __________________________________________
    JOHN MCGUIRE   CISSP, MCSE2k, MCSE+I, MCT
    888.529.0401
    jmcguireat_private
    Strictly Business
     www.sbcs.com
    
    
    
    
    Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
    HushMail Secure Email http://www.hushmail.com/
    Hush Business - security for your Business http://www.hush.com/
    Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/
    
    Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
    
    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.1
    Note: This signature can be verified at https://www.hushtools.com
    
    wmIEARECACIFAjy+JhobHHNlY3JldF9zaGFkb3dAaHVzaG1haWwuY29tAAoJEIe3FlKj
    7NpuMx0AoKthdl3I7GRQxgi97awMkrhJgolgAJ9gR/c5lDvTe7PbcahCximSKaTwYQ==
    =7eUQ
    -----END PGP SIGNATURE-----
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 15:52:11 PDT