Here's some alarming information about the new MS IIS patch. Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) Email: [EMAIL PROTECTED]
CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 17, 2002 5:05 PM To: [EMAIL PROTECTED] Subject: Fwd: ms02-018 IS dangerous after all -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Saw this on another mailing list. Thought it might be worth passing on. - -----Quoted Message----- Date: Wed, 17 Apr 2002 16:51:48 -0400 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: ms02-018 IS dangerous after all OK, I, and apparently a few others, have been tracking this down all day and you may read about it other places shortly, but I believe there is a major problem with this patch and other "update" methods from our friends in Redmond. A server we host here got Nimda, but it was caught and cleaned by the virus scanner (nav corp). On Friday, as I posted here, I installed the hotfix rollup ms02-018 on it with apparently no ill effects. Monday morning we found that the worm had made its attempt. This afternoon I scanned the machine with MBSA. It reported a list of hotfixes missing from the machine. Most are ms02s, but ms00-079 and ms01-048 are missing too. There were several that it could not confirm had been installed given the network environment between the server and I. MS states that MBSA checks for the actually patched versions of the files using a newer version of HFNetchk. I believe them on this point and I say why in the next paragraph. I also believe that I have proven that ms02-018 and Windows Update uninstall (probably unintentionally) previously implemented hotfixes. I believe the tool because now that I have applied critical updates from windows update and ms02-018 in that order, the tool shows my 2000 pro machine up to date. In my previous post I mentioned that the tool reported ms02-018 turned up missing between my first scan and the scan after WU had run. It appears WU removed the rollup, but that the rollup goes back on fine after a "windows update" of the machine. Not so easy with my IIS4 server that is now missing several patches. My logic is this: If these were merely reporting errors and the Microsoft information I have gotten back so far is inaccurate the tool would not now report that a machine patched in a certain sequence is up to date. Therefore, the tool must be accurate, at least for win2k sp2 boxes, and many of us must have unsecured IIS boxes (the obvious retort "of course IIS isn't secure" from the Unix crowd aside). This also indicates that the tool is likely fairly accurate on the NT4 server. This job just keeps getting more and more interesting. I love a challenge ;-) Anyone seeing a jump in Nimda, code red, clone scans? __________________________________________ JOHN MCGUIRE CISSP, MCSE2k, MCSE+I, MCT 888.529.0401 [EMAIL PROTECTED] Strictly Business www.sbcs.com Hush provide the worlds most secure, easy to use online applications - which solution is right for you? HushMail Secure Email http://www.hushmail.com/ Hush Business - security for your Business http://www.hush.com/ Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wmIEARECACIFAjy+KxkbHHNlY3JldF9zaGFkb3dAaHVzaG1haWwuY29tAAoJEIe3FlKj 7Npu7h4An1X5SJ4X6WIGixjNk5jRTK6YwgnCAKCB4b+MmCxr0o/cgpbl3aA4QrK+Ww== =fIch -----END PGP SIGNATURE----- ______________________________________________________________________ The KCFusion.org list and website is hosted by Humankind Systems, Inc. List Archives........ http://www.mail-archive.com/cf-list@kcfusion.org Questions, Comments or Glowing Praise.. mailto:[EMAIL PROTECTED] To Subscribe.................... mailto:[EMAIL PROTECTED] To Unsubscribe................ mailto:[EMAIL PROTECTED]
