Security Incidents mailing list archives

RE: new IIS worm? (rcp lsass.exe)

From: "Gaydosh, Adam" <GaydoshA () ctcgsc org>
Date: Wed, 25 Sep 2002 15:40:03 -0400

I've never heard about this, does anybody else care to comment on MS patches
not actually installing the files?  From what I understood, in cases where
the MS tools returned a vuln you thought you've covered, it's because they
require a work around and not a patch [e.g. the hfnetchk warning].  The only
case I've seen a installed patch fail a check was when software I'd since
installed regressed a file. 

-----Original Message-----
From: webbi () sapc edu [mailto:webbi () sapc edu]
Sent: Wednesday, September 25, 2002 12:24 AM
To: incidents () securityfocus com
Subject: RE: new IIS worm? (rcp lsass.exe)


That means those updates didn't apply properly. What MBSA, and the HFNetChk
tools it's a limited version of, do is actually check if the files updated
by the patch are at the proper versions. Sometimes MS patches don't apply
right, so even though you've downloaded and installed it, and Windows
Update, which just checks if the registry says the patch is installed, says
it's installed, it's not actually installed. It's unfortunate that MS
patches often don't actually patch..

-----Original Message-----
From: James Williams [mailto:jwilliams () mail wtamu edu] 
Sent: Tuesday, September 24, 2002 4:52 PM
To: Incidents; zeno
Subject: Re: new IIS worm? (rcp lsass.exe)

The only tool that I know of that almost does all of that is the MS Baseline
Security Analyzer. It's a gui tool that scans your system and tells you what
potential holes you have and tells you what patches you are missing. I have
had some problems with it as far as the patches go because it will tell me
that I'm missing updates that I know that I've already downloaded and
installed.

James Williams
Network Systems Technician
West Texas A&M University
http://www.wtamu.edu


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: new IIS worm? (rcp lsass.exe), (continued)
- - Re: new IIS worm? (rcp lsass.exe) sunzi (Sep 25)
  - Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 25)
    - Re: new IIS worm? (rcp lsass.exe) Faisal Ashraf (Sep 26)
  - Re: new IIS worm? (rcp lsass.exe) Christoph Puppe (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) John Campbell (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Dostie, Joe (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) webbi (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) John Campbell (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) Gaydosh, Adam (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) David LeBlanc (Sep 26)
- RE: new IIS worm? (rcp lsass.exe) Dallas Jordan (Sep 26)
- RE: new IIS worm? (rcp lsass.exe) Bax . Plemons (Sep 26)
- Re: new IIS worm? (rcp lsass.exe) Muhammad Faisal Rauf Danka (Sep 27)