Patching networks redux (fwd)

["denatured" <denatured () microsoftsucks org>]

 As an Information Security Officer I assume that you consider yourself
an "Expert".  That assumption being based on the fact that with the title of 
"Officer", and the responsibility that goes with it, I'd hope you think of 
your self way.  Curious though, after having it demonstrated to you that 
your network is VERY insecure I would have thought that you would take the 
time to fix it vice writing on this discussion board throughout the day.  Is 
that not having the time/resources or just plain neglegence?  I mean 
mistakes happen, but an outright ignoring of the problem, when it has been 
released to a list of this size, should concern your employer just a little. 
If you're going to let the whole world know that
'utd48637' is low on yellow, you should put an admin password on it.  But 
why does the world nees any access to your printers...and the rest of it 
all. 

 Think about it. 



From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Schmehl, Paul L
Sent: Wednesday, July 30, 2003 6:09 PM
To: full-disclosure () lists netsys com 

For all those experts who have mastered patching your networks, please
ignore this post. 

For the rest of you, testing has shown that some patch management tools are
incorrectly reporting that MS03-026 is installed when it's not (notably
Windows Update and Update Expert, among others.)  The accuracy of the tool
depends on how they check for the patch level.  If they check the registry
(like Windows Update and Update Expert do) they will *incorrectly* report 
that MS03-026 has been installed when if fact the files have not been 
updated.  If they do MD5 checksums (like Hfnetchk or MBSA), they will 
correctly report the patch level. 

The Retina tool from eEye (and I would assume the IIS commandline tool as
well) is correctly reporting what *is* patched and what is *not* patched, so 
you need to rely on those to give you accurate information.
You could actually have users going to Windows Update and finding no patches 
available when in fact they are still vulnerable.  You could also have users 
for whom you've pushed out the patch who have overwritten the files with 
older versions, yet your tools are reporting them as patched. 

Of course the experts never have these problems, but for the mere mortals,
caveat emptor. 

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


---------------------------------------------------------------------------
Get your free email at http://www.microsoftsucks.org 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html