Bugtraq mailing list archives
How the MS Critical Update Notification works...
From: hdmoore () USA NET (HD Moore)
Date: Thu, 28 Jan 1999 01:06:17 -0600
Here is an overview of how Windows 98 determines if an update is available via the Critical Update Notification utility. All of the information here was obtained through packet dumps, so if anyone from M$ would like to correct this, feel free to do so. Step A ---------- Windows 98 will try to resolve the address 'windowsupdate.microsoft.com' after you either open an IE4 window, or about every 5 minutes. If it can resolve that address you proceed to step B, otherwise it waits and tries again in a few minutes. Step B ---------- The update program will connect to 'windowsupdate.microsoft.com' on port 80 and attempts to retrieve a CAB file called cucif.cab. If this file is retrieved successfully, you go on to step C, otherwise it waits and tries again. ( the full GET request sent ) -- snip -- GET /x86/W98/en/ie4/cucif.cab HTTP/1.1 Accept: application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 98) Host: windowsupdate.microsoft.com Connection: Keep-Alive Cookie: MC1=ID=f738117cd92911d2933f0f08d79a2879 -- unsnip -- Step C ---------- Inside the cab is a file called 'cucif.cif', this file has a list of all critical updates for Windows 98. The update program checks this list against its list of installed updates and if a new one is found it will present the user with a dialog. If the user chooses to accept the update, they are sent to the windowsupdate site via IE4. (a cut from 'cucif.cif') -- snip -- [oepatch] DisplayName=%oepatch% Version=4,72,3135,0 Locale=%L_oepatch% _CriticalUpdateDependencies=mailnews GUID={AC84C7C0-21A1-11d2-AF1D-00C04FA35D02} Reboot=1 URL1="OEPATSP1.EXE",2 Size1=1097,1110 Command1="oepatsp1.exe" Type1=1 Switches1="/Q:A /R:N" Size=1103,24 -- unsnip -- Anyways, I hope someone found this useful. HD Moore http://nlog.ings.com http://www.trinux.org
Current thread:
- [HERT] ANNOUNCE: linux auditd daemon 1.10 Anthony C . Zboralski (Jan 26)
- Re: [HERT] ANNOUNCE: linux auditd daemon 1.10 Anthony C . Zboralski (Jan 27)
- Unix Security Kernel Changes Jonathan A. Zdziarski (Jan 27)
- Responses to: Unix Security Kernel Changes Jonathan A. Zdziarski (Jan 28)
- Re: Responses to: Unix Security Kernel Changes Paul Braman (Jan 29)
- WebTrends Security Analyzer v2.0 now available<WTID-100244707> wiseleo () BEST COM (Jan 29)
- Re: Responses to: Unix Security Kernel Changes Michael H. Warfield (Jan 29)
- Security Advisory for Internet Information Server 4 with Site mnemonix (Jan 30)
- Responses to: Unix Security Kernel Changes Jonathan A. Zdziarski (Jan 28)
- How the MS Critical Update Notification works... HD Moore (Jan 27)
- Re: How the MS Critical Update Notification works... Brian Hayward (Jan 28)
- EDA/SQL Victor A. Rodriguez (Jan 28)