Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: RE: Probable new MS DCOM RPC worm for Windo ws

From: "Jerry Heidtke" <jheidtke () fmlh edu>
Date: Fri, 26 Sep 2003 10:33:26 -0500

No one is going to manually touch 2000+ machines (unless you're a
consultant and you get paid by the hour). That's why there're tools to
check whether the file properties are correct for a particular hot fix.

For example, Microsoft Baseline Security Analyzer (free), GFI Languard
Network Security Scanner (inexpensive), Shavlik HFNetcheckPro
(expensive), and Microsoft SMS (with SU feature pack) (very expensive)
will all do file version and/or checksum calculations to verify that a
particular file is what should be there to consider a patch to be
installed. Some of these will even automatically deploy the patches to
machines that are missing them. Many other tools do the same thing.
(let's not get into a flame war about the pros and cons of any
particular tool).

While we have other decent tools available to check whether a patch has
been correctly applied to this particular vulnerability that don't
depend on file versions, for most patches the only reliable way to
confirm if a patch has been applied is to check the physical files.

If you're not going to verify that a patch is correctly installed
through _some_ method, you're being negligent. To answer your question,
yes, if you're a responsible professional.

Jerry 

-----Original Message-----
From: Schmehl, Paul L [mailto:pauls () utdallas edu] 
Sent: Friday, September 26, 2003 9:33 AM
To: full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] RE: Probable new MS DCOM RPC worm for
Windo ws



-----Original Message-----
From: Gary Flynn [mailto:flynngn () jmu edu] 
Sent: Friday, September 26, 2003 8:06 AM
To: 'full-disclosure () lists netsys com'
Subject: Re: [Full-disclosure] RE: Probable new MS DCOM RPC 
worm for Windo ws


I would think a better way of determining if a patch is 
actually installed on a system is by examining the files on 
the system rather than to depend upon symptoms (scanners) or 
installation logs (registry entries).


True, but *I'm* not going to physically touch (or even virtually touch)
2000+ machines looking at file properties.  Are you?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: