Fwd: ms02-018 IS dangerous after all

[secret_shadow () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This came across the intrusions@incidents list and I thought it might be appropriate for these lists. Sorry for the 
cross-post for those who receive multiples. This is just a forward, not a confirmation.

- -----Quoted Message-----
Date: Wed, 17 Apr 2002 16:51:48 -0400
From: jmcguire () sbcs com
To: intrusions () incidents org
Subject: ms02-018 IS dangerous after all

OK, I, and apparently a few others, have been tracking this down all day
and you may read about it other places shortly, but I believe there is a
major problem with this patch and other "update" methods from our friends
in Redmond.

A server we host here got Nimda, but it was caught and cleaned by the virus
scanner (nav corp).
   On Friday, as I posted here, I installed the hotfix rollup ms02-018 on
   it with apparently no ill effects.
   Monday morning we found that the worm had made its attempt.
   This afternoon I scanned the machine with MBSA. It reported a list of
   hotfixes missing from the machine.

Most are ms02s, but ms00-079 and ms01-048 are missing too. There were
several that it could not confirm had been installed given the network
environment between the server and I.

MS states that MBSA checks for the actually patched versions of the files
using a newer version of HFNetchk. I believe them on this point and I say
why in the next paragraph. I also believe that I have proven that ms02-018
and Windows Update uninstall (probably unintentionally) previously
implemented hotfixes.

I believe the tool because now that I have applied critical updates from
windows update and ms02-018 in that order, the tool shows my 2000 pro
machine up to date. In my previous post I mentioned that the tool reported
ms02-018 turned up missing between my first scan and the scan after WU had
run.

It appears WU removed the rollup, but that the rollup goes back on fine
after a "windows update" of the machine.

Not so easy with my IIS4 server that is now missing several patches.

My logic is this: If these were merely reporting errors and the Microsoft
information I have gotten back so far is inaccurate the tool would not now
report that a machine patched in a certain sequence is up to date.
Therefore, the tool must be accurate, at least for win2k sp2 boxes, and
many of us must have unsecured IIS boxes (the obvious retort "of course IIS
isn't secure" from the Unix crowd aside). This also indicates that the tool
is likely fairly accurate on the NT4 server.

This job just keeps getting more and more interesting. I love a challenge
;-)

Anyone seeing a jump in Nimda, code red, clone scans?
__________________________________________
JOHN MCGUIRE   CISSP, MCSE2k, MCSE+I, MCT
888.529.0401
jmcguire () sbcs com
Strictly Business
 www.sbcs.com




Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wmIEARECACIFAjy+JhobHHNlY3JldF9zaGFkb3dAaHVzaG1haWwuY29tAAoJEIe3FlKj
7NpuMx0AoKthdl3I7GRQxgi97awMkrhJgolgAJ9gR/c5lDvTe7PbcahCximSKaTwYQ==
=7eUQ
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com