Full Disclosure mailing list archives
RE: RE: Probable new MS DCOM RPC worm for Windo ws
From: "Jerry Heidtke" <jheidtke () fmlh edu>
Date: Fri, 26 Sep 2003 10:33:26 -0500
No one is going to manually touch 2000+ machines (unless you're a consultant and you get paid by the hour). That's why there're tools to check whether the file properties are correct for a particular hot fix. For example, Microsoft Baseline Security Analyzer (free), GFI Languard Network Security Scanner (inexpensive), Shavlik HFNetcheckPro (expensive), and Microsoft SMS (with SU feature pack) (very expensive) will all do file version and/or checksum calculations to verify that a particular file is what should be there to consider a patch to be installed. Some of these will even automatically deploy the patches to machines that are missing them. Many other tools do the same thing. (let's not get into a flame war about the pros and cons of any particular tool). While we have other decent tools available to check whether a patch has been correctly applied to this particular vulnerability that don't depend on file versions, for most patches the only reliable way to confirm if a patch has been applied is to check the physical files. If you're not going to verify that a patch is correctly installed through _some_ method, you're being negligent. To answer your question, yes, if you're a responsible professional. Jerry -----Original Message----- From: Schmehl, Paul L [mailto:pauls () utdallas edu] Sent: Friday, September 26, 2003 9:33 AM To: full-disclosure () lists netsys com Subject: RE: [Full-disclosure] RE: Probable new MS DCOM RPC worm for Windo ws
-----Original Message----- From: Gary Flynn [mailto:flynngn () jmu edu] Sent: Friday, September 26, 2003 8:06 AM To: 'full-disclosure () lists netsys com' Subject: Re: [Full-disclosure] RE: Probable new MS DCOM RPC worm for Windo ws I would think a better way of determining if a patch is actually installed on a system is by examining the files on the system rather than to depend upon symptoms (scanners) or installation logs (registry entries).
True, but *I'm* not going to physically touch (or even virtually touch) 2000+ machines looking at file properties. Are you? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: RE: Probable new MS DCOM RPC worm for Windo ws Schmehl, Paul L (Sep 26)
- Re: RE: Probable new MS DCOM RPC worm for Windo ws Gary Flynn (Sep 26)
- RE: RE: Probable new MS DCOM RPC worm for Windo ws Jay Sulzberger (Sep 26)
- <Possible follow-ups>
- RE: RE: Probable new MS DCOM RPC worm for Windo ws Schmehl, Paul L (Sep 26)
- RE: RE: Probable new MS DCOM RPC worm for Windo ws Jerry Heidtke (Sep 26)
- RE: RE: Probable new MS DCOM RPC worm for Windo ws Schmehl, Paul L (Sep 26)
- RE: RE: Probable new MS DCOM RPC worm for Windo ws Schmehl, Paul L (Sep 26)
- RE: RE: Probable new MS DCOM RPC worm for Windo ws Schmehl, Paul L (Sep 26)
- Re: RE: Probable new MS DCOM RPC worm for Windows Cael Abal (Sep 26)
- Re: RE: Probable new MS DCOM RPC worm for Windows Paul Schmehl (Sep 26)
- Re: RE: Probable new MS DCOM RPC worm for Windows Karl DeBisschop (Sep 27)
- Re: RE: Probable new MS DCOM RPC worm for Windows Brent J. Nordquist (Sep 29)
- Re: RE: Probable new MS DCOM RPC worm for Windows Cael Abal (Sep 26)
- RE: RE: Probable new MS DCOM RPC worm for Windo ws Jay Sulzberger (Sep 26)