Problem with Microsoft Security Bulletin MS01-052

["Stephen C Burns" <sb () sbrl net>]

Hey all,

To whomever just got this bulletin: be careful when installing the patch
for the "Invalid RDP Data can Cause Terminal Service Failure"
vulnerability released on the 18th.  Make sure you are able to revert to
your old rdpwsx.dll if you can only access your machine(s) remotely.
Installing this patch gave me the following upon Terminal Services
startup in my System event log:

Error
Event ID: 1014
Source: TermService
Cannot load illegal module: C:\Winnt\System32\rdpwsx.DLL.

With no further explanation.  I had to telnet in through my backdoor
(spefically created for these types of "patches"), kill the running
Terminal Services Service with pstools, as Terminal Services cannot be
controlled through a NET command, and copy my old .DLL over this new one
and restart term services, and then it worked again, all unpatched and
back to normal.

Same problem goes for another development box here, so it doesn't look
machine-specific.  Seems like this will just go around and break
terminal services on everyone's boxes.  Same operating system, same
service packs/hotfixes, same problem, same log entry, same fix.