[33626] in bugtraq
RE: Another Low Blow From Microsoft: MBSA Failure!
daemon@ATHENA.MIT.EDU (Frank Knobbe)
Wed Feb 11 18:01:58 2004
From: Frank Knobbe <frank@knobbe.us>
To: Joe DeMarco <demarcoj@comcast.net>
Cc: bugtraq@securityfocus.com
In-Reply-To: <A02305CA08B0D143A752591768A7858A0DA120@prserver.prproducts.local>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-uUTpFoy7u7CpFI8+bnv7"
Message-Id: <1076462672.22665.11.camel@localhost>
Mime-Version: 1.0
Date: Tue, 10 Feb 2004 19:24:32 -0600
--=-uUTpFoy7u7CpFI8+bnv7
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Tue, 2004-02-10 at 13:26, Joe DeMarco wrote:
> Maybe it's just me but, I wouldn't consider a patch successfully
> applied
> until the machine is rebooted. Registry changes usually require this
> process.
I would go even further and question the reliability of just checking
for the presence of Registry keys that claim a patch has been installed.
Anything short of verifying the MD5 hash of a given DLL, driver file or
executable just makes assumptions about a patched version being present
or not. Those assumptions tend you come back to haunt you, and I believe
there are enough people that had exactly that happening. I remember some
patch (a year or so ago) that overwrote a previously patched DLL with a
vulnerable version. Anything checking Registry keys, like Windows Update
I believe, made the assumption that the system was patched when in fact
the defective DLL rendered the system vulnerable.
Any tool, Windows Update, MBSA, or 3rd party should check the actual
files in question, not just logfiles or Registry keys (or anything that
makes historical statements rather than actual statements).
Regards,
Frank
--=-uUTpFoy7u7CpFI8+bnv7
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQBAKYRQJjGc5ftAw8wRArDYAJ9zOd6lRjEt/hwpPLibMZ/TtqhmlwCePrQQ
FgBVGpcg4UWrBlO8RELnynA=
=hjFa
-----END PGP SIGNATURE-----
--=-uUTpFoy7u7CpFI8+bnv7--
