Patching networks redux

["Schmehl, Paul L" <pauls () utdallas edu>]

For all those experts who have mastered patching your networks, please
ignore this post.

For the rest of you, testing has shown that some patch management tools
are incorrectly reporting that MS03-026 is installed when it's not
(notably Windows Update and Update Expert, among others.)  The accuracy
of the tool depends on how they check for the patch level.  If they
check the registry (like Windows Update and Update Expert do) they will
*incorrectly* report that MS03-026 has been installed when if fact the
files have not been updated.  If they do MD5 checksums (like Hfnetchk or
MBSA), they will correctly report the patch level.

The Retina tool from eEye (and I would assume the IIS commandline tool
as well) is correctly reporting what *is* patched and what is *not*
patched, so you need to rely on those to give you accurate information.
You could actually have users going to Windows Update and finding no
patches available when in fact they are still vulnerable.  You could
also have users for whom you've pushed out the patch who have
overwritten the files with older versions, yet your tools are reporting
them as patched.

Of course the experts never have these problems, but for the mere
mortals, caveat emptor.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html