[Dshield] Several fixes available for critical vulnerabilities inMS IE and various flavours of MS Windows

Al Reust areust at comcast.net
Fri Apr 16 22:24:00 GMT 2004


Henny

In the resource kit is a tool called "tlist" (for task list)

tlist -t
<Quote>
C:\Test>tlist -t
System Process (0)
System (8)
   SMSS.EXE (196)
     CSRSS.EXE (220)
     WINLOGON.EXE (216) NetDDE Agent
       SERVICES.EXE (268)
         svchost.exe (460)
           Playlist.exe (1404) OleMainThreadWndName
         spoolsv.exe (488)
         msdtc.exe (516)
         DefWatch.exe (620)
         svchost.exe (636)
         Rtvscan.exe (668) Scan
         nvsvc32.exe (728)
         regsvc.exe (748)
         mstask.exe (776) SYSTEM AGENT COM WINDOW
         WinMgmt.exe (800)
         dfssvc.exe (900)
       LSASS.EXE (280)
       TASKMGR.EXE (1832) Windows Task Manager
explorer.exe (1184) Program Manager
   VPTray.exe (1228) Symantec AntiVirus Corporate Edition
   projselector.ex (1252) Roxio Easy CD & DVD Creator Home
   DrgToDsc.exe (1268) DrgToDsc
   RxMon.exe (1132) RxMonSysTrayWnd
   AcroTray.exe (1324) AcrobatTrayIcon
   NaturalColorLoa (1360)
   WZQKPICK.EXE (1392) About WinZip Quick Pick
   UEDIT32.EXE (1320) UltraEdit-32 - [A:\Reply]
   CMD.EXE (1316) C:\WINNT\system32\cmd.exe - tlist -t
     mmc.exe (1852) Services
     tlist.exe (1760)
   IEXPLORE.EXE (1912) Error - Microsoft Internet Explorer
   Eudora.exe (1848) Eudora
Icq.exe (1428) 2775689
<End Quote>

You can see by the "indent" that as SYSTEM starts, it fires up SMSS which 
in turn starts other services CSRSS then Winlogin on down. Generally 
anything that gets started as a "Service" is started under the SYSTEM 
context (Services.msc). You can recognize Symantec Antivirus under services.

Till you get to Explorer and then you see the things that "Depend" on 
Explorer etc...

So generally, one of the items in that list if what is causing the problem, 
whether it is having a problem "starting" or there is a messed "dependency."

Try restarting in the "Safe Mode" and see if you still have the same problem.

In troubleshooting something like this another tool comes to mind (from the 
Resource Kit) called KILL which will allow you to kill a process by PID or 
by Name.

<Quote>
C:\Test>kill /?
Microsoft (R) Windows NT (TM) Version 3.5 KILL
Copyright (C) 1994-1998 Microsoft Corp. All rights reserved

usage: KILL [options] <<pid> | <pattern>>*

            [options]:
                -f     Force process kill

            <pid>
               This is the process id for the task
                to be killed.  Use TLIST to get a
                valid pid

            <pattern>
               The pattern can be a complete task
               name or a regular expression pattern
               to use as a match.  Kill matches the
               supplied pattern against the task names
               and the window titles.
<End Quote>

Last but not least is the utility called "Qfecheck" which will tell you 
that an item in the Hotfix/Patch did not extract correctly (for whatever 
reason) so that you would know to uninstall and reinstall the appropriate 
Hotfix.

Frequently asked questions :Tool and Patch Available to correct Hotfix 
Packaging Anomalies
http://www.microsoft.com/technet/security/bulletin/fq01-005.mspx

Where to get it for 2000/XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;282784

R/

Al

At 05:02 PM 4/16/2004 +0200, you wrote:
>Has anyone noticed the problems with the instllation of the Security Update
>for Microsoft Windows 835732? (After installing Security fix KB835732, the
>SYSTEM.exe process uses up 99% of CPU time, and make the system
>non-responsive).
>I read in a post that Microsoft at the moment suggests that "the benefit of
>waiting (for a fix) may not be worth the risk of waiting
>(worms).  This problem isn't happening on every machine - just certain (to
>be determined) machines."
>This kept me up a couple of extra hours last night, so if you haven't
>patched yet: you're warned!
>
>Henny
>
>
>
>
>-> -----Original Message-----
>-> From: list-bounces at lists.dshield.org
>-> [mailto:list-bounces at lists.dshield.org] On Behalf Of Peter
>-> Stendahl-Juvonen
>-> Sent: woensdag 14 april 2004 12:26
>-> To: DShield General DShield Discussion List
>-> Subject: [Dshield] Several fixes available for critical
>-> vulnerabilities inMS IE and various flavours of MS Windows
>->
>->
>-> Several fixes available for critical vulnerabilities in MS
>-> IE and various flavours of MS Windows
>->
>-> FYI-
>->
>-> For those concerned (MS Security Bulletins and patches
>-> issued April 13,
>-> 2004)-
>->
>->
>-> 1) Microsoft Security Bulletin MS04-011
>-> Security Update for Microsoft Windows (835732)
>->
>-> http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
>->
>-> Who should read this document: Customers who use MicrosoftR
>-> WindowsR Impact of vulnerability:  Remote Code Execution
>-> Maximum Severity Rating: Critical
>-> Recommendation: Customers should apply the update immediately.
>->
>-> Affected Software (in addition to Windows): Microsoft NetMeeting
>->
>->
>-> 2) Microsoft Security Bulletin MS04-012
>-> Cumulative Update for Microsoft RPC/DCOM (828741)
>->
>-> http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
>->
>-> Who should read this document: Customers who use MicrosoftR
>-> WindowsR Impact of vulnerability:  Remote Code Execution
>-> Maximum Severity Rating: Critical
>-> Recommendation: Customers should apply the update immediately.
>->
>->
>-> 3) Microsoft Security Bulletin MS04-013
>-> Cumulative Security Update for Outlook Express (837009)
>->
>-> http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx
>->
>-> Who should read this document: Customers who have MicrosoftR
>-> Outlook ExpressR installed Impact of vulnerability:  Remote
>-> Code Execution Maximum Severity Rating: Critical
>-> Recommendation: Customers should apply the update immediately.
>->
>-> Security Update Replacement: This bulletin replaces
>-> MS03-014: Cumulative Update for Outlook Express, and any
>-> prior Cumulative Security Update for Outlook Express.
>->
>->
>-> 4) Microsoft Security Bulletin MS04-014
>-> Vulnerability in the Microsoft Jet Database Engine Could
>-> Allow Code Execution (837001)
>->
>-> http://www.microsoft.com/technet/security/bulletin/ms04-014.mspx
>->
>-> Who should read this document: Customers who use MicrosoftR
>-> WindowsR Impact of vulnerability:  Remote Code Execution
>-> Maximum Severity Rating: Important
>-> Recommendation: Customers should install the update at the
>-> earliest opportunity.
>->
>->
>-> Have downloaded and applied all patches. Installs and runs
>-> fine. (In nationalized [Finnish language] W2K Pro platform.)
>->
>-> Happy patching
>->
>->
>-> - Pete
>->
>->
>->                  "Absence of occupation is not rest;
>->              A mind quite vacant is a mind distressed."
>->               William Cowper (1731-1800); English poet.
>->
>->
>-> _______________________________________________
>-> list mailing list
>-> list at lists.dshield.org
>-> To change your subscription options (or unsubscribe), see:
>-> http://www.dshield.org/mailman/listinfo/list
>->
>
>
>_______________________________________________
>list mailing list
>list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list