Full Disclosure mailing list archives

RE: SQL Server patch - why doesn't Windows update help?

From: "Jason Coombs" <jasonc () science org>
Date: Thu, 30 Jan 2003 06:40:01 -1000

HFNetChk and Microsoft Baseline Security Analyzer also failed to warn anyone
about installing the SQL Server hotfixes or SQL Server Service Pack 3 until
a couple weeks before Sapphire. You should never allow a third-party to
update code on your boxes, period. Do not use Windows Update.

You should retrieve mssecure.xml (or mssecure.cab) from the following URLs
and use them along with other resources like security bulletins, mailing
lists, and lists of authentic known good hash codes to verify that your
boxes are up-to-date and in possession of authentic vendor code.

https://xml.shavlik.com/mssecure.xml
http://xml.shavlik.com/mssecure.cab

Microsoft currently publishes a different version of mssecure.xml; it was
not updated properly prior to Sapphire, although the version published by
shavlik.com was updated with hotfix and service pack details for SQL Server
months in advance of Sapphire. Hopefully Microsoft spontaneously learned how
to keep this important data file up-to-date. See:

http://download.microsoft.com/download/xml/security/1.0/nt5/en-us/mssecure.c
ab
https://www.microsoft.com/technet/security/search/mssecure.xml

Do not forget that there is a difference between the code your box is in
possession of and the code that it executes. Verifying that your box is
patched at some point in time in the past has only circumstantial bearing on
whether or not it is actually executing that code right now.

Sincerely,

Jason Coombs
jasonc () science org

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of Darren Reed
Sent: Thursday, January 30, 2003 5:30 AM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] SQL Server patch - why doesn't Windows update
help?


I was just thinking to myself, hmmm, I have SQL Server something*
installed on one of my Win2K boxes (service is turned off), I wonder
if I have this patched as I do regular checkups with "Windows Update"...

Well, either I haven't or I have and the "Windows Update" web site is
lieing and "Add/Remove Programs" is in league with it.

Strange.  I do a scan with "Windows Update" and it still doesn't pick
it up.

It doesn't show up under "Office Update" either.

What gives ?

I ask myself have I been deceived into thinking that this "Windows Update"
was not doing as I expected and is in fact doing far less ?  I wonder how
many other people do regular updates, using "Windows Update" and expect
it to catch all of the patches required for their system(s) and don't
give it much further thought ?

The catch I now find myself in is if "Windows Update" doesn't know it
should have installed the hotfix for SQL Server, how the hell am I
(or anyone else for that matter) meant to now work out what has and
hasn't been applied that is relevant ?  How much trust can I now put
in the "Windows Update" service to deliver me the correct patches that
my system needs ?  I wonder if I would have been one of the unsuspecting
masses that got infiltrated if I had of been trusting "Windows Update"
to keep my 'net exposed SQL servers up to date ?!

Maybe this is a "known bug" or "caveat" with "Windows Update" but if
it is, it'd sure be nice if it behaved as expected - read the "About
Windows Update" sometime.  I don't think I've got unreasonable
expectations, based on how they advertise the service, that this should
have been patched for me, already!

I wonder if you'd have a case for suing Microsoft for damages if you got
hit and used their update service on a regular basis, with it failing to
install the patch, leading to you being crompromised for (if nothing else)
false advertising of the "Windows Update" service capabilities...

Darren
* - it is one of the versions advertised as being vulnerable and no,
    there are no copyright problems with the installed products.

p.s. This is the kind of email that now gets censored from bugtraq,
I just hope it's appropriate for full-disclosure...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

SQL Server patch - why doesn't Windows update help? Darren Reed (Jan 30)
- RE: SQL Server patch - why doesn't Windows update help? Jason Coombs (Jan 30)
- <Possible follow-ups>
- Re: SQL Server patch - why doesn't Windows update help? Curt Wilson (Jan 30)
  - Re: SQL Server patch - why doesn't Windows update help? Darren Reed (Jan 30)