Bugtraq mailing list archives
RE: After Ms patches last Wed ...
From: InfoSec () seba com
Date: Mon, 3 May 2004 10:41:45 -0400
I've been following this thread and the stated instabilities of the MS04-011 security update, I had determined to delay deployment of this patch until it was stabilized but it seems it wasnt stabilized fast enough to beat the worms to market. Now of course this same LSASS vuln addressed by MS04-011 is the target of the Sasser worm.... undeployable/unstable patch + critical vulnerability = the even greater threat of the sasser worm(s)... good job. I read in a article on this patch that the instability is only present if the "Nortel Networks VPN client is installed and the IPSec Policy Agent is set to manual or automatic startup type", does anyone have any further input on MS04-011? Stable on a standard Win2k server install or not? Thanks, Michael "David Hayden" <dahayden () clubhayden com> 04/30/2004 01:36 PM To: "Greg Kujawa" <greg.kujawa () diamondcellar com>, <bugtraq () securityfocus com>, "Michael Ooi" <michael () imr com sg>, "phaser-X" <px () zeroday net>, "T.H. Haymore" <bonk () webchat chatsystems com>, <plasmahh () informatik uni-bremen de>, "Andy Shaw" <andy () east no>, <aborg () mca org mt> cc: Subject: RE: After Ms patches last Wed ... For those of you that had problems with the MS Patch... Microsoft (Quote, Chart) confirmed that disruptive bugs in a recently issued Windows security patch could cause systems to freeze or lead to system usage overload. The buggy patch, issued earlier this month to plug numerous "critical" vulnerabilities in the Windows operating system, has caused problems for IT admins because of conflicts with installed drivers. "[It] causes Microsoft Windows 2000 to try repeatedly to load drivers that do not load successfully," the software giant said Wednesday, identifying the drivers as Ipsecw2k.sys, Imcide.sys and Dlttape.sys... http://www.internetnews.com/dev-news/article.php/3347221 DH -----Original Message----- From: Greg Kujawa [mailto:greg.kujawa () diamondcellar com] Sent: Tuesday, April 20, 2004 3:40 PM To: bugtraq () securityfocus com Subject: Re: After Ms patches last Wed ... In-Reply-To: <2DF52978DE0D854F9435C7AA7DD51F9801F4A12D () atlmaiexcp01 iss.local> Don't know if this is duplicate info from another message, but there are two different issues with the KB835732 update. Specifically on Windows 2000 machines. The first issue involves cached data in RAM. If a machine is rebooted immediately after applying the update there is a chance that the BSOD will come up. The STOP error is described as DRIVER_IRQ_NOT_LESS_OR_EQUAL. A hard reboot will eliminate this transient error. The second issue involves problems with the IPSec Policy Agent Service. This is enabled to start automatically with the update and it can lead to the CPU pegging. Stopping the service and disabling it will elimiate this issue. Can't say that Microsoft can claim these issues were the result of updates being rushed to market. Most of the vulnerabilities were brought to their attention 6 months ago. At least the issues aren't as bad as Windows NT 4.0 Service Pack 6. That broke the TCP/IP stack and really had me scrambling back then resuscitating my servers!
Received: (qmail 25226 invoked from network); 19 Apr 2004 18:05:58 -0000
Received: from outgoing3.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.27)
by mail.securityfocus.com with SMTP; 19 Apr 2004 18:05:58 -0000
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing.securityfocus.com (Postfix) with QMQP
id 6453B236FE4; Mon, 19 Apr 2004 19:36:44 -0600 (MDT)
Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq () securityfocus com>
List-Help: <mailto:bugtraq-help () securityfocus com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
Delivered-To: mailing list bugtraq () securityfocus com
Delivered-To: moderator for bugtraq () securityfocus com
Received: (qmail 29580 invoked from network); 19 Apr 2004 11:30:38 -0000
X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: After Ms patches last Wed ...
Date: Mon, 19 Apr 2004 13:33:53 -0400
Message-ID: <2DF52978DE0D854F9435C7AA7DD51F9801F4A12D () atlmaiexcp01 iss.local>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: After Ms patches last Wed ...
Thread-Index: AcQmMmxSjtFxm8gHTOi27BhiHtRdWQAASwgw
From: "Brito, Nelson (ISS Brazil)" <NBrito () iss net>
To: "T.H. Haymore" <bonk () webchat chatsystems com>,
<bugtraq () securityfocus com>
X-OriginalArrivalTime: 19 Apr 2004 17:33:54.0535 (UTC) FILETIME=[7CB10F70:01C42634]
(As usual, and obviously: not speaking on behalf of my employer.)
I didn't see anything unusual, neither with my Win2k nor with my WinXP =
boxes.=20
It'd be a machine specific or something conflicts with some DLL(s).=20
It is usual to replace some DLL(s) when install some program(s).
Cheers.
Nelson Brito
-----Original Message-----
From: T.H. Haymore [mailto:bonk () webchat chatsystems com]
Sent: Saturday, April 17, 2004 5:29 AM
To: bugtraq () securityfocus com
Subject: Re: After Ms patches last Wed ...
=20
=20
On Fri, 16 Apr 2004, phaser-X wrote:
=20
I had a different issue after Wednesdays updates. Two=20
win2k computers in
my office were rendered useless after the patch. They were=20
fine before,
but as soon as the patch finished and the PC was rebooted,=20
the CPU usage
was 100% and nothing could be done. I left both PC's=20
sitting for about 20
minutes and the 100% CPU usage never came down. Another=20
coworker said he
had the same issue with his home PC and he was eventually=20
able to get into
the task manager and noticed that the system process was=20
taking up 99-100%
of the CPU.
=20
=20
I have run into the same thing with 2K workstations as well=20
as 2K server.
On a side note, an XP 'goof off' box I use will no longer=20
connect to the
online card games or anything else. (Thank goodness for BSD).
=20
=20
Anyone else experience this issue?
-pX
=20
=20
=20
=20
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D
Travis
www.cyberabuse.org/crimewatch
Email: Bonk () chatsystems com | Bonk () cyberabuse org
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D
/"> \ /
X ASCII Ribbon Campaign
/ \ Against HTML Email
=20
=20
Current thread:
- RE: After Ms patches last Wed ... InfoSec (May 03)
- Re: After Ms patches last Wed ... James Riden (May 03)
- Re: After Ms patches last Wed ... Nicholas Weaver (May 04)
- RE: After Ms patches last Wed ... Nick FitzGerald (May 04)
- Re: After Ms patches last Wed ... James Riden (May 03)