The updates, if run from Windows update, don't seem to be working all that well. That is at least my observation. The link that Dan gave is right on for figuring out if it is installed correctly and what I found was that eEyes Retina checked for the RPC service and to see if the service was vulnerable. GFI and I believe MBSA just check to see if the patch is applied but doesn't check to see if the vulnerability still exists. The only way to do that is to bind and test away. Good luck, Christopher Lyon Sr. Security Development Engineer Affant Communication (formerly DNS Network Services) v: 714-338-7106 f: 714-338-7101 cslyonat_private > -----Original Message----- > From: Dan Hanson [mailto:dhansonat_private] > Sent: Monday, August 11, 2003 10:39 PM > To: Carter, Mike > Cc: Charles Hamby; incidentsat_private > Subject: RE: MSBLASTER Infecting despite 03-026 patch? > > Check the versions of the files replaced by the MS03-026 patch... there > were some reports (on NTBugtraq I believe) where applciation of the > MS03-026 patch simultaneous with other things overwrote teh patched > files... > > http://support.microsoft.com/?kbid=823980 > > > > > On Tue, 12 Aug 2003, Carter, Mike wrote: > > > This is something that really worries me, I've heard it to. > > Also I am getting conflicting results when scanning for the patch > > installation. I've been using MBSA, GFI LANguard and Retina which all > > tell me something different. > > Which one should I trust?? > > Or is there something else I should be using? > > -snip- > - a different included message - > > > > > > I have seen, and have heard other reports of, msblaster.exe worm > > infecting a Windows computer that had the proper KB patch specified by > > the 03-026 advisory. In the instance I personally saw it was a Windows > > XP Professional workstation that was completely patched. The person who > > used the workstation was surprised that they were infected since they > > has applied the patch and I verified (via Add/Remove Programs) that they > > did, indeed have the proper patch applied. I checked with my parent > > organization and they had been receiving sporadic reports of patched > > machines being infected despite being patched. Unfortunately I removed > > the worm from the computer without copying it so I don't have a backup > > of it for analysis. > > ------------------------------------------------------------------------ -- > - > ------------------------------------------------------------------------ -- > -- > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 16:46:04 PDT