Security Incidents mailing list archives
RE: new IIS worm? (rcp lsass.exe)
From: Bax.Plemons () alltelmd com
Date: Thu, 26 Sep 2002 08:07:07 -0400
Actually you're only partially correct. Patches that do not enter registry changes are not found by the baseline tool or hfnetchk even though they are properly installed. Some good examples of this are some SQL patches. Microsoft has a paper on this on their support site. Another possibility that you may be running into is that most(not all) patches can be overwritten by other patches or service packs which then requires you to go through the patch process all over again. Cheers Bax Plemons Corp Security "Gaydosh, Adam" <GaydoshA@ctcgsc. To: "'webbi () sapc edu'" <webbi () sapc edu>, incidents () securityfocus com org> cc: Subject: RE: new IIS worm? (rcp lsass.exe) 09/25/2002 03:40 PM I've never heard about this, does anybody else care to comment on MS patches not actually installing the files? From what I understood, in cases where the MS tools returned a vuln you thought you've covered, it's because they require a work around and not a patch [e.g. the hfnetchk warning]. The only case I've seen a installed patch fail a check was when software I'd since installed regressed a file. -----Original Message----- From: webbi () sapc edu [mailto:webbi () sapc edu] Sent: Wednesday, September 25, 2002 12:24 AM To: incidents () securityfocus com Subject: RE: new IIS worm? (rcp lsass.exe) That means those updates didn't apply properly. What MBSA, and the HFNetChk tools it's a limited version of, do is actually check if the files updated by the patch are at the proper versions. Sometimes MS patches don't apply right, so even though you've downloaded and installed it, and Windows Update, which just checks if the registry says the patch is installed, says it's installed, it's not actually installed. It's unfortunate that MS patches often don't actually patch.. -----Original Message----- From: James Williams [mailto:jwilliams () mail wtamu edu] Sent: Tuesday, September 24, 2002 4:52 PM To: Incidents; zeno Subject: Re: new IIS worm? (rcp lsass.exe) The only tool that I know of that almost does all of that is the MS Baseline Security Analyzer. It's a gui tool that scans your system and tells you what potential holes you have and tells you what patches you are missing. I have had some problems with it as far as the patches go because it will tell me that I'm missing updates that I know that I've already downloaded and installed. James Williams Network Systems Technician West Texas A&M University http://www.wtamu.edu ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: new IIS worm? (rcp lsass.exe), (continued)
- Re: new IIS worm? (rcp lsass.exe) Christoph Puppe (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) John Campbell (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Dostie, Joe (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) webbi (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) John Campbell (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) Gaydosh, Adam (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) David LeBlanc (Sep 26)
- RE: new IIS worm? (rcp lsass.exe) Dallas Jordan (Sep 26)
- RE: new IIS worm? (rcp lsass.exe) Bax . Plemons (Sep 26)
- Re: new IIS worm? (rcp lsass.exe) Muhammad Faisal Rauf Danka (Sep 27)