[Question] - Win XP Slipstream + MBSA File List = Vulnerabilities ?

**Gridneo** · December 15, 2005

I am attempted to integrate SP2 and all current updates into an unattended installation disk. I am using a fresh Windows XP share (version 2600) and integrating the SP2 update using nLite, and then applying all the patches MS Baseline Security Analyzer 2.0 lists off for me... Upon a vulnerability scan (externally from our department), I am returned a file that lists off 60 vulnerabilities... most of which should have been fixed by SP2 or the updates I installed. Windows Update tells me that I am up-to-date on my patches.

Here's what I have:

Windows XP - Build 2600 - original disk

WindowsXP-KB835935-SP2-ENU.exe - SP2 Administrative File

The following files were listed off by MBSA 2.0, so I d/led the .exe's and

MS03-011 816093: Security Update Microsoft Virtual Machine (Microsoft VM) Critical

867460 Microsoft .NET Framework 1.1 Service Pack 1

MS04-043 Security Update for Windows XP (KB873339) Important

MS04-041 Security Update for Windows XP (KB885836) Important

MS05-007 Security Update for Windows XP (KB888302) Important

MS05-009 Security Update for Windows Messenger (KB887472) Moderate

MS05-013 Security Update for Windows XP (KB891781) Important

MS05-015 Security Update for Windows XP (KB888113) Important

MS04-044 Security Update for Windows XP (KB885835) Important

MS05-011 Security Update for Windows XP (KB885250) Critical

MS05-032 Security Update for Windows XP (KB890046) Moderate

MS05-027 Security Update for Windows XP (KB896422) Critical

MS05-033 Security Update for Windows XP (KB896428) Moderate

MS05-019 Security Update for Windows XP (KB893066) Critical

MS05-036 Security Update for Windows XP (KB901214) Critical

MS05-018 Security Update for Windows XP (KB890859) Important

MS05-026 Security Update for Windows XP (KB896358) Critical

MS05-040 Security Update for Windows XP (KB893756) Important

MS05-041 Beta 6.2 Installer version Security Update for Windows XP (KB899591) Important

MS05-041 Security Update for Windows XP (KB899591) Moderate

MS05-042 Security Update for Windows XP (KB899587) Moderate

MS05-043 Security Update for Windows XP (KB896423) Critical

MS05-004 Security Update for Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB886903)

MS05-051 Security Update for Windows XP (KB902400) Important

MS05-046 Security Update for Windows XP (KB899589) Important

MS05-048 Security Update for Windows XP (KB901017) Important

MS05-045 Security Update for Windows XP (KB905414) Moderate

MS05-052 Cumulative Security Update for Internet Explorer for Windows XP (KB896688) Critical

MS05-047 Security Update for Windows XP (KB905749) Important

MS05-049 Security Update for Windows XP (KB900725) Important

MS05-053 Security Update for Windows XP (KB896424) Critical

890830 Windows Malicious Software Removal Tool - November 2005 (KB890830)

MS05-050 Security Update for Windows XP (KB904706) Critical

I simply add those d/led files to nLite and it says it integrates them... After an install, Windows Update says that I'm up-to-date, but the vulnerability scanner says that I have incorrect versions of .dll files and that I need to install sp2 updates to fix them.

Example:

MS05-012 is Missing...

Do I need to be installing EVERY little update that MS has ever released (even if there is a cummulative patch out for multiple previous patches)? The goal is to simply have a Windows XP SP2 disk that is fully up-to-date...

Does anybody out there know of an up-to-date list of patches that I can just keep up with and integrate as needed?

Thanks in advance.

Title Edited - Please follow new posting rules from now on.

--Zxian

Edited December 15, 2005 by Zxian

**Zxian** · December 15, 2005

Have a look at RyanVM's packs. Use the integrator by Siginet to integrate the update packs. RyanVM hasn't made an update pack with December's updates, but everything up until November should be there.

http://ryanvm.msfn.org

**suryad** · December 16, 2005

So have the previous problems with the Ryan pack that users could not install new MS updates been fixed?

**Takeshi** · December 16, 2005

Upon a vulnerability scan (externally from our department), I am returned a file that lists off 60 vulnerabilities...

I don't think MBSA scans are reliable here. Are all the updates listed in Add/Remove Programs?

**Gridneo** · December 16, 2005

I don't think MBSA scans are reliable here. Are all the updates listed in Add/Remove Programs?

Since all the individual files were integrated using nLite, Windows does not list the integrated updates. Currently in Add/Remove programs we have the few updates that weren't integrated into the slipstream, but that is all.

I really want to know how to find out if MS05-012 was replaced by a more recent, cummulative update; I am still leaning toward the scanning software being outdated or something.

**Zxian** · December 16, 2005

So have the previous problems with the Ryan pack that users could not install new MS updates been fixed?

AFAIK, yes. I've only used them since 2.0.0 and 2.0.1 and I've never had problems installing updates with either. Just be sure to use Siginet's integrator to integrate the packs instead of nLite. nLite may work, but its unsupported, so if you run into troubles, you're up the creek without a paddle.

**suryad** · December 16, 2005

Thanks Zxian so there is still a potential for problems using the integrator in nLite even in the latest RCs?

**Zxian** · December 16, 2005

I'm not sure if there's really all that much space for worry. All I know is that RyanVM works more with Siginet for the integration of the update packs than he does with nuhi. If you want to easily be able to troubleshoot the integration, use Siginet's integrator.

**Takeshi** · December 17, 2005

I don't use MBSA nor nLite but I suspect that MBSA and WU are scanning different things to determine what updates you have installed. Normally the updates are entered in the registry and hence parsed by the Add/Remove program applet.

It looks perhaps MBSA scans the registry entries.

RyanVM hinted at something about MBSA here (but I'm not sure what exactly):

http://www.msfn.org/board/index.php?showtopic=43763&hl=

I really want to know how to find out if MS05-012 was replaced by a more recent, cummulative update; I am still leaning toward the scanning software being outdated or something.

There's a bug fix (894391).

http://support.microsoft.com/default.aspx?...kb;en-us;873333

http://support.microsoft.com/kb/894391/

Edited December 17, 2005 by Takeshi

**Gridneo** · December 20, 2005

The part that worries me currently is that I still get 'Install SP2' vulnerabilities from the scans they return to me... I used nLite originally to integrate SP2 then the RyamVM 2.0.1 pack, and

1. Windows XP 2600 (build 0)

2. Integrate SP2

3. Apply RyanVM pack 2.0.1

4. Still has 75 vulnerabilities

When I install XP 2600, and let Windows Update do everything... 0 vulnerabilities...

This sux.

**Gridneo** · December 20, 2005

What I would like to do is integrate SP2 manually... then apply RyanVM using RVM Integrator...

Is there a way/program that I can check the .dll versions of my integrated SP2 directory to verify that they were integrated correctly? I know that the vulnerability results from previous scans show the incorrect/vulnerable .dll version... I could make sure that the .dll version is newer than the vulnerable version...

Sigh.

I'm at a loss...

**Zxian** · December 20, 2005

The part that worries me currently is that I still get 'Install SP2' vulnerabilities from the scans they return to me... I used nLite originally to integrate SP2 then the RyamVM 2.0.1 pack, and
1. Windows XP 2600 (build 0)
2. Integrate SP2
3. Apply RyanVM pack 2.0.1
4. Still has 75 vulnerabilities
When I install XP 2600, and let Windows Update do everything... 0 vulnerabilities...
This sux.

That's probably because the MSBA scans check for what hotfixes are installed, not the files themselves. I can pretty much guarantee you that you are fully up to date and have no more vulnerabilities using RyanVM's pack than you are having updated as one normally would.

**Gridneo** · December 21, 2005

O ... Hehe... The vulnerability scans aren't done using the MBSA list--I don't think--they check the files directly... I think they run some STAT scanner and it dumps a suspected vulnerable .dll version and .dll date, per file...

For instance:

ID: W2441 2005-A-0030 Risk: Medium Name: OLE Input Validation Vulnerability - XP
%SystemRoot%\system32\ole32.dll; version: 5.1.2600.2726 (xpsp.050725-1531); date: 2002/12/31
Specific Info
Web Site: http://www.microsoft.com/technet/security/...n/MS05-012.mspx
Description
By using OLE technology, an application can provide embedding
and linking support. OLE is the technology that applications use to
create and edit compound documents. There is an unchecked
buffer in the process that OLE uses to validate data. This is a
remote code execution vulnerability. An attacker who successfully
exploited this vulnerability could remotely take complete control
of an affected system. If a user or program is logged on with
administrative user rights, an attacker who successfully exploited
this vulnerability
Solution
Install the MS05-012 patch.
Using a web browser, navigate to
http://www.microsoft.com/technet/security/...n/MS05-012.mspx
and go to the Affected Software section. Find the affected software and
download and install the patch.
MS05-012 supercedes MS03-010, MS03-026, and MS03-039.

All the previous headaches were using nLite to integrate SP2 and then apply RyanVM... my new build is command-line integrated SP2 then RyanVM applied using that RVM Integrator.

I'll probably just have to do a side-by-side comparison of two machines and check their .dlls manually...

Sign In

[Question] - Win XP Slipstream + MBSA File List = Vulnerabilities ?

Recommended Posts

Gridneo

Zxian

suryad

Takeshi

Gridneo

Zxian

suryad

Zxian

Takeshi

Gridneo

Gridneo

Zxian

Gridneo

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Activity

Browse