[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    Re: Alert: Microsoft Security Bulletin - MS03-013 - Windows 2000 Warning
From:       "Herrick, Joe" <joe.herrick () DIGEX ! COM>
Date:       2003-04-17 19:52:10
[Download RAW message or body]

The issue with MS03-007 was that the updated version of ntdll.dll was
incompatible with certain versions of ntoskrnl.exe.  MS03-013 appears to
include an updated version of nsoskrnl.exe (5.0.2195.6159) which, according
the bulletin for MS03-007, should resolve the compatiblity issue you
mentioned.  As always, test in a non-production environment.

When I did a binary compare between the two copies of ntdll.dll, I did not
find any difference at offset 0x8-0xA.  I did find a difference at offset
0x00D8-0x00DB, which is where the timestamp is stored in the file header,
and another at 0x0128-0x012B, which is the image checksum.  The timestamp
bytes are part of the checksum calculation, so when the timestamp changs, so
does the checksum.


Joe Herrick
NT Engineer
joe.herrick@digex.com



-----Original Message-----
From: Russ [mailto:Russ.Cooper@RC.ON.CA]
Sent: Wednesday, April 16, 2003 7:32 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Alert: Microsoft Security Bulletin - MS03-013 - Windows 2000
Warning


Thanks to Bronek Kozicki for bringing this to my attention.

The Windows 2000 version of MS03-013 contains numerous files not listed in
the manifest supplied in KB 811493. In addition to the kernel files supplied
in the other OS patches, the following files are also included;

gdi32.dll    v5.0.2195.5907
kernel32.dll v5.0.2195.6011
msgina.dll   v5.0.2195.4733
ntdll.dll    v5.0.2195.6685
rdpwd.sys    v5.0.2195.6692
user32.dll   v5.0.2195.6000
userenv.dll  v5.0.2195.5968
win32k.sys   v5.0.2195.6003
winlogon.exe v5.0.2195.6013
winsrv.dll   v5.0.2195.5935

A brief check shows all to be post-SP3 versions.

The problem here is that by including NTDLL.DLL in MS03-013, it is
definitely applying MS03-007. As has been previously reported, there are
definitely problems installing MS03-007 on systems which had previously
applied a PSS supplied hotfix, check the archives for more details.

If Microsoft has somehow fixed the problems with MS03-007, they've never
said so. The version of NTDLL.DLL included in MS03-013 is the same as that
included in MS03-007, however as Bronek points out;

"Binary compare between MS03-007 and MS03-013 version of NTDLL.DLL reveals
six different bytes (file offset 0x8-0xA and 0x128-0x12A)"

Its also difficult to determine whether the inclusion of all of these other
files will cause some other problems for Windows 2000 systems. Let me know
if you encounter any.

Meanwhile, I would strongly suggest you avoid applying MS03-013 unless you
are able to test it in a non-production environment, and possibly wait until
Microsoft provides some form of clarification. Both the Security Bulletin
and its KB article are incorrect in stating they do not supercede any other
hotfix as clearly this is not the case for Windows 2000 systems.

More information when Microsoft decide to publish it.

Trustworthy Computing just took another big hit today.

Cheers,
Russ - NTBugtraq Editor

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Have you discovered a security vulnerability related to Windows or a
commercial product which runs on Windows?

Need assistance crafting the format or translating your advisory to English?

Need to verify it, or having problems contacting the Vendor?

Contact mailto:Advisories@NTBugtraq.com

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Have you discovered a security vulnerability related to Windows or a
commercial product which runs on Windows?

Need assistance crafting the format or translating your advisory to English?

Need to verify it, or having problems contacting the Vendor?

Contact mailto:Advisories@NTBugtraq.com

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
[prev in list] [next in list] [prev in thread] [next in thread]