Jump to content

Windows 2K Security Updates


Bilou_Gateux

Recommended Posts

I'm still working on the W2K Server hotfixes.

Following bilou_gateux's advice, I've been using HFNetChk.

I use XPCREATE to make an updated, patched W2K CD.

(The hotfixes I use are listed a few posts back.)

I run WUpdate. WUpdate shows I'm missing 2 critical updates.

No surprise there.

Then I run HFNetChk and it surprises me.

It tells me that the folloing patches were not applied:

Q329115 (Hey wait. I thought I installed this!)

Q833330 (Blaster clean. I didn't install this. No surprise)

Q840987 (I thought this was installed too!)

Q841356 (This was intentionally omitted.)

Q834707 (I didn't install this. I think it was superseded by 873377)

Q329414 (Hmm. How come WUpdate didn't flag this?)

Warnings:

Q823353 (I thought I applied this!)

Q828026 (This too.)

Next, I tried to install a few of these manually.

Q329115 Still shows up as not installed.

Q840987 This one gets fixed when applied manually.

Q823353 This still gives a warning.

Q828026 Still gives a warning.

Q329115 and Q329414 complain of invalid checksums

The others are wrong versions.

Q841356 has a lower version than expected.

The others have *higher* versions than expected.

Maybe this is because the list that HFNetChk is using is outdated.

Is anyone else getting results like this?

Is anyone else checking their patches?

Thanks for reading.

Link to comment
Share on other sites


Thanks for the feedback GM. (And thanks for sharing your work!) Any idea when the new version will be out? Do you at least have a new patchlist for W2K Server?

When you say that you install W2K Servers with all the latest updates, do you mean with integrated hotfixes or updating after the install?

Do you use HFNetChk? If so, does it show no missing patches or warnings?

I'm thinking that the master list that HFNetChk checks against is out of date (since it looks for KB834707 instead of KB873377 ,which superseded it ... and also some version numbers that were reported as too high). I can't get HFNetChk to give a clean report. Maybe if I went back to a clean install and applied all the patches sequentially (ie, 834707 and then 873377), but that's a real PITA. Of the five or so patches that HFNetChk reports as not being installed, four of them still fail to show up after trying to manually apply them. This doesn't surprise me if their patchlist is out of date -- but the one patch that is included in my XPCREATE CD which still needs to be applied manually in order to be recognized by HFNetChk (KB840987) still puzzles me.

I'm able to get everything to look fine (according to WUpdate) by installing the last patch or two by hand. In my first couple of posts I was only concerned with getting these last patches integrated into my XPCREATE CD. Now that I've been checking with HFNetChk I'm getting confused again.

I'm all set up fpr testing, which I don't mind doing. The thing is that my system is old and slow. It takes over an hour to run XPCREATE. The bottleneck (for me) is in the DRIVERS.CAB compression. Just curious, does the compression routine for the CAB files allow switches so one can optimize for speed or size? If so, it might be an easy thing to add a line to the XPCREATE.INI file to allow people with slow machines to optimze compression for speed.

Link to comment
Share on other sites

I've not used HFNetChk for a while: I use the Microsoft Baseline Security Analyzer. I was under the impression that they used the same XML file, but I do know that the latest MBSA is not compatible with the previous version. Perhaps HFNetChk still uses the previous version XML file, which may no longer be updated. Who knows ... But I still prefer MBSA.

The CAB compression can be a killer. I would suggest you set DPCABS=NO in XPCREATE.INI, while testing, and change it back for the final CD. Can saves tons of time ...

Link to comment
Share on other sites

Ok. Thanks for the tip about DPCABS (what does that do?)

EDIT: Ok. I just ran MBSA and read around. Both programs are by Shavlik Technologies. Both use MSSecure.xml -- but the one that MBSA is using is from Oct. 21st and the one HFNetChk is using is from Oct. 20th. Maybe that accounts for the difference. I'm not sure. I have to read a little more to see exactly what MBSA checks (ie, checksums, version numbers or what). Anyhow, MBSA says I'm in good shape -- except for a few minor issues. </EDIT>

I don't know exactly the differencs between HFNetChk and MBSA. I've also used MBSA and been happy with it. It gave a lot of information over a wide range of areas. HFNetChk is a command-line tool and has a bunch of switches. The -b switch claims to check "status of hotfixes required to meet baseline security standards". Note that this only refers to hotfixes, and MBSA checks a lot of other areas as well (like accounts, permissions, services etc...).

HFNetChk uses an XML file called mssecure.cab. This file comes from MS, but Shavlik hosts a copy. The file that I'm using was last updated October 20th. HFNetChk checks version numbers and checksums of the files affected by the hotfix (mostly dlls).

I'd be curious to know what results you get if you run HFNetChk on a recently XPCREATEd CD of W2K Server. (It's a very small download and only takes a minute to run.) I'd also be curious to see the hotfix list that gave the results.

Thanks for the feedback. I'm going to run MBSA and see what it says. I'm also going to check MS's site for a more recent version of mssecure.cab

Link to comment
Share on other sites

Here the result of my last (French) build including ALL except :

  • 1/ recommended updates .NET Framework & Journal Viewer ;
  • 2/ Using a repackaged 834707 instead of 873377 + registry edit data "Q834707" changed to "KB834707" in value "ComponentID";
  • 3/ Q841356 added to svcpack.inf after XPCreation but not slipstreadmed to i386 according to GM Post: Oct 18 2004, 01:12 AM.
  • 4/ registry edit to "kill" GDI+ Detection Tool

:: KB834707 P'tit tour de.... passe-passe
REG ADD "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{3e7bb08a-a7a3-4692-8eac-ac5e7895755b}" /v "ComponentID" /t REG_SZ /d "KB834707" /f
:: GDI+ Detection Tool Kill Bit
REG ADD "HKLM\SOFTWARE\Microsoft\GdiDetectionTool" /v "GDITool" /t REG_DWORD /d "00000001"

Scan performed Sun Oct 31 19:45:44 2004
Shavlik Technologies Network Security Hotfix Checker, 3.85
Using XML data version = 1.1.2.227  Last modified on 10/20/2004.


----------------------------
1A (127.0.0.1)
----------------------------

* WINDOWS 2000 SERVER SP4

Note    MS02-064  Q327522
Please refer to http://hfnetchk.shavlik.com/support for a detailed
explanation.  Refer to the section on Note Messages.


Patch NOT Installed  TOOL03-039  Q833330
File C:\WINNT.1\$NtUninstallKB833330$\Blastcln\blastcln.exe cannot
be located.


Warning    MS04-019  Q842526
File C:\WINNT.1\system32\sp3res.dll has a file version
[5.0.2195.6970] that is greater than what is expected
[5.0.2195.6928].



* INTERNET EXPLORER 6 SP1

Information
All necessary hotfixes have been applied.

* WINDOWS MEDIA PLAYER 9.0 GOLD

Warning    MS03-040  Q828026
File C:\WINNT.1\system32\wmp.dll has a file version [9.0.0.3128]
that is greater than what is expected [9.0.0.3075].

Link to comment
Share on other sites

hey Bilou_Gateux

That's good feedback. Thanks. I've used two different MSSecure.XML files. I've used each with the free version of HFNetChk and MBSA with the /hf switch. I get different results every single time.

I need to set it aside for a while and look at it later with fresh eyes. For now, I'm "resting" by playing with slipstreaming SP2 into XP Pro. I'm also reading through the other forums here. A lot of material.

I'll post back when I get something sorted out.

Thanks again for the feedback.

Link to comment
Share on other sites

I finally ran HFNetChk:

Scan performed Tue Nov 02 18:06:09 2004

Shavlik Technologies Network Security Hotfix Checker, 3.86

Using XML data version = 1.1.2.227  Last modified on 10/20/2004.

----------------------------

2KSERVER (192.168.1.104)

----------------------------

* WINDOWS 2000 SERVER SP4

Patch NOT Installed  MS02-050  Q329115

File C:\WINDOWS\system32\CRYPTDLG.DLL has an invalid checksum and

its file version [5.0.1558.6608]is equal to what is expected

[5.0.1558.6608].

Note    MS02-064  Q327522

Please refer to http://hfnetchk.shavlik.com/support for a detailed

explanation.  Refer to the section on Note Messages.

Patch NOT Installed  TOOL03-039  Q833330

File C:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.exe cannot

be located.

Warning    MS04-019  Q842526

File C:\WINDOWS\system32\sp3res.dll has a file version

[5.0.2195.6970] greater than what is expected [5.0.2195.6928].

Patch NOT Installed  MS04-032  Q840987

File C:\WINDOWS\system32\kernel32.dll has an invalid checksum and

its file version [5.0.2195.6946] is equal to what is expected

[5.0.2195.6946].

* INTERNET INFORMATION SERVICES 5.0 SP4

Information

All necessary hotfixes have been applied.

* INTERNET EXPLORER 6 SP1

Warning    MS04-018  Q823353

File C:\Program Files\Common Files\System\wab32.dll has a file

version [6.0.2800.1450] greater than what is expected

[6.0.2800.1437].

Patch NOT Installed  MS04-038  Q834707

File C:\WINDOWS\system32\urlmon.dll has a file version

[6.0.2800.1475] greater than what is expected [6.0.2800.1474]. -

File C:\WINDOWS\system32\wininet.dll has a file version

[6.0.2800.1475] greater than what is expected [6.0.2800.1468]. -

File C:\WINDOWS\system32\browseui.dll has a file version

[6.0.2800.1596] greater than what is expected [6.0.2800.1584]. -

File C:\WINDOWS\system32\inseng.dll has a file version

[6.0.2800.1475] greater than what is expected [6.0.2800.1469]. -

File C:\WINDOWS\system32\mshtml.dll has a file version

[6.0.2800.1477] greater than what is expected [6.0.2800.1476]. -

File C:\WINDOWS\system32\shdocvw.dll has a file version

[6.0.2800.1596] greater than what is expected [6.0.2800.1584]. -

File C:\WINDOWS\system32\shlwapi.dll has an invalid checksum and its

file version [6.0.2800.1584] is equal to what is expected

[6.0.2800.1584].

* WINDOWS MEDIA PLAYER 9.0 GOLD

Warning    MS03-040  Q828026

File C:\WINDOWS\system32\wmp.dll has a file version [9.0.0.3128]

greater than what is expected [9.0.0.3075].

* MDAC 2.5 SP3

Patch NOT Installed  MS02-065  Q329414

File C:\Program Files\Common Files\System\msadc\msadce.dll has an

invalid checksum and its file version [2.53.6202.0] is equal to what

is expected [2.53.6202.0].

I know it reports errors, and I do not know where the invalid checksums come from, but I do believe everything is OK, especially as MBSA comes up clean.

@urgan: I have not tried that update, but as you can see, I have no JScript issues. I'll add it to my To Do list to look into it. THanks for pointing it out.

Link to comment
Share on other sites

About 841356

with the current version of XPCreate, 841356 HotFix type 1 is not slipstreamed correctly.

before creating the iso and burning the CD, some minor modifications should be made:

  • delete unused files and dir
  • edit dosnet.inf and remove last two lines

last two lines in DOSNET.INF

d1,XPCLNT_QFE_BINARYDROP\shlwapi.dll 
d1,XPSP2_BINARYDROP\shlwapi.dll

Download change.exe Text Search and Replace Utility and save it to %PREPDIR%

Copy and paste content of file below to %PREPDIR%_841356.cmd and launch it:

_841356.txt

Link to comment
Share on other sites

@bilou

Please clarify, are you still applying the js56nen update ?

According to Microsoft Security Bulletin MS03-008, this update is already on SP4, that why it never get's applied.

Do you know if using 839645 with 873377 causes the folder tree in explorer to stop working (I think I must regsvr32 some dll to fix this) ?

Link to comment
Share on other sites

MS03-008: Flaw in Windows Script Engine may allow code to run (814078)

Prerequisites

Operating system Minimum requirement 

Windows XP Windows XP or Windows XP Service Pack 1 (SP1)

Windows 2000 Windows 2000 SP2, or SP3

probably because the M$ Security Bulletin has not been updated to add Windows 2000 SP4.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...