[Dshield] Several fixes available for criticalvulnerabilities inMS IE and various flavours of MS Windows

Security@TCS security at thijsseling.nl
Sun Apr 18 22:20:19 GMT 2004


Al,

Thanks for the advices. I used qfecheck and allthough the Windows updatesite
says the updates failed, the qfecheck confirms all the patches are on the
system. I did not experience more problems with the patch...
Thanks for the explanation, this is very usefull for me!

Henny





-> -----Original Message-----
-> From: list-bounces at lists.dshield.org 
-> [mailto:list-bounces at lists.dshield.org] On Behalf Of Al Reust
-> Sent: zaterdag 17 april 2004 0:24
-> To: General DShield Discussion List
-> Subject: RE: [Dshield] Several fixes available for 
-> criticalvulnerabilities inMS IE and various flavours of MS Windows
-> 
-> 
-> Henny
-> 
-> In the resource kit is a tool called "tlist" (for task list)
-> 
-> tlist -t
-> <Quote>
-> C:\Test>tlist -t
-> System Process (0)
-> System (8)
->    SMSS.EXE (196)
->      CSRSS.EXE (220)
->      WINLOGON.EXE (216) NetDDE Agent
->        SERVICES.EXE (268)
->          svchost.exe (460)
->            Playlist.exe (1404) OleMainThreadWndName
->          spoolsv.exe (488)
->          msdtc.exe (516)
->          DefWatch.exe (620)
->          svchost.exe (636)
->          Rtvscan.exe (668) Scan
->          nvsvc32.exe (728)
->          regsvc.exe (748)
->          mstask.exe (776) SYSTEM AGENT COM WINDOW
->          WinMgmt.exe (800)
->          dfssvc.exe (900)
->        LSASS.EXE (280)
->        TASKMGR.EXE (1832) Windows Task Manager
-> explorer.exe (1184) Program Manager
->    VPTray.exe (1228) Symantec AntiVirus Corporate Edition
->    projselector.ex (1252) Roxio Easy CD & DVD Creator Home
->    DrgToDsc.exe (1268) DrgToDsc
->    RxMon.exe (1132) RxMonSysTrayWnd
->    AcroTray.exe (1324) AcrobatTrayIcon
->    NaturalColorLoa (1360)
->    WZQKPICK.EXE (1392) About WinZip Quick Pick
->    UEDIT32.EXE (1320) UltraEdit-32 - [A:\Reply]
->    CMD.EXE (1316) C:\WINNT\system32\cmd.exe - tlist -t
->      mmc.exe (1852) Services
->      tlist.exe (1760)
->    IEXPLORE.EXE (1912) Error - Microsoft Internet Explorer
->    Eudora.exe (1848) Eudora
-> Icq.exe (1428) 2775689
-> <End Quote>
-> 
-> You can see by the "indent" that as SYSTEM starts, it fires 
-> up SMSS which 
-> in turn starts other services CSRSS then Winlogin on down. Generally 
-> anything that gets started as a "Service" is started under 
-> the SYSTEM 
-> context (Services.msc). You can recognize Symantec Antivirus 
-> under services.
-> 
-> Till you get to Explorer and then you see the things that 
-> "Depend" on 
-> Explorer etc...
-> 
-> So generally, one of the items in that list if what is 
-> causing the problem, 
-> whether it is having a problem "starting" or there is a 
-> messed "dependency."
-> 
-> Try restarting in the "Safe Mode" and see if you still have 
-> the same problem.
-> 
-> In troubleshooting something like this another tool comes to 
-> mind (from the 
-> Resource Kit) called KILL which will allow you to kill a 
-> process by PID or 
-> by Name.
-> 
-> <Quote>
-> C:\Test>kill /?
-> Microsoft (R) Windows NT (TM) Version 3.5 KILL
-> Copyright (C) 1994-1998 Microsoft Corp. All rights reserved
-> 
-> usage: KILL [options] <<pid> | <pattern>>*
-> 
->             [options]:
->                 -f     Force process kill
-> 
->             <pid>
->                This is the process id for the task
->                 to be killed.  Use TLIST to get a
->                 valid pid
-> 
->             <pattern>
->                The pattern can be a complete task
->                name or a regular expression pattern
->                to use as a match.  Kill matches the
->                supplied pattern against the task names
->                and the window titles.
-> <End Quote>
-> 
-> Last but not least is the utility called "Qfecheck" which 
-> will tell you 
-> that an item in the Hotfix/Patch did not extract correctly 
-> (for whatever 
-> reason) so that you would know to uninstall and reinstall 
-> the appropriate 
-> Hotfix.
-> 
-> Frequently asked questions :Tool and Patch Available to 
-> correct Hotfix 
-> Packaging Anomalies 
-> http://www.microsoft.com/technet/security/bulletin/fq01-005.mspx
-> 
-> Where to get it for 2000/XP 
-> http://support.microsoft.com/default.aspx?scid=kb;en-us;282784
-> 
-> R/
-> 
-> Al
-> 
-> At 05:02 PM 4/16/2004 +0200, you wrote:
-> >Has anyone noticed the problems with the instllation of the 
-> Security 
-> >Update for Microsoft Windows 835732? (After installing Security fix 
-> >KB835732, the SYSTEM.exe process uses up 99% of CPU time, 
-> and make the 
-> >system non-responsive). I read in a post that Microsoft at 
-> the moment 
-> >suggests that "the benefit of waiting (for a fix) may not 
-> be worth the 
-> >risk of waiting (worms).  This problem isn't happening on 
-> every machine 
-> >- just certain (to be determined) machines."
-> >This kept me up a couple of extra hours last night, so if 
-> you haven't
-> >patched yet: you're warned!
-> >
-> >Henny
-> >
-> >
-> >
-> >
-> >-> -----Original Message-----
-> >-> From: list-bounces at lists.dshield.org 
-> >-> [mailto:list-bounces at lists.dshield.org] On Behalf Of Peter 
-> >-> Stendahl-Juvonen
-> >-> Sent: woensdag 14 april 2004 12:26
-> >-> To: DShield General DShield Discussion List
-> >-> Subject: [Dshield] Several fixes available for critical 
-> >-> vulnerabilities inMS IE and various flavours of MS Windows
-> >->
-> >->
-> >-> Several fixes available for critical vulnerabilities in 
-> MS IE and 
-> >-> various flavours of MS Windows
-> >->
-> >-> FYI-
-> >->
-> >-> For those concerned (MS Security Bulletins and patches 
-> issued April 
-> >-> 13,
-> >-> 2004)-
-> >->
-> >->
-> >-> 1) Microsoft Security Bulletin MS04-011
-> >-> Security Update for Microsoft Windows (835732)
-> >->
-> >-> http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
-> >->
-> >-> Who should read this document: Customers who use 
-> MicrosoftR WindowsR 
-> >-> Impact of vulnerability:  Remote Code Execution Maximum Severity 
-> >-> Rating: Critical
-> >-> Recommendation: Customers should apply the update immediately.
-> >->
-> >-> Affected Software (in addition to Windows): Microsoft NetMeeting
-> >->
-> >->
-> >-> 2) Microsoft Security Bulletin MS04-012
-> >-> Cumulative Update for Microsoft RPC/DCOM (828741)
-> >->
-> >-> http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
-> >->
-> >-> Who should read this document: Customers who use 
-> MicrosoftR WindowsR 
-> >-> Impact of vulnerability:  Remote Code Execution Maximum Severity 
-> >-> Rating: Critical
-> >-> Recommendation: Customers should apply the update immediately.
-> >->
-> >->
-> >-> 3) Microsoft Security Bulletin MS04-013
-> >-> Cumulative Security Update for Outlook Express (837009)
-> >->
-> >-> http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx
-> >->
-> >-> Who should read this document: Customers who have 
-> MicrosoftR Outlook 
-> >-> ExpressR installed Impact of vulnerability:  Remote Code 
-> Execution 
-> >-> Maximum Severity Rating: Critical
-> >-> Recommendation: Customers should apply the update immediately.
-> >->
-> >-> Security Update Replacement: This bulletin replaces
-> >-> MS03-014: Cumulative Update for Outlook Express, and any prior 
-> >-> Cumulative Security Update for Outlook Express.
-> >->
-> >->
-> >-> 4) Microsoft Security Bulletin MS04-014
-> >-> Vulnerability in the Microsoft Jet Database Engine Could 
-> Allow Code 
-> >-> Execution (837001)
-> >->
-> >-> http://www.microsoft.com/technet/security/bulletin/ms04-014.mspx
-> >->
-> >-> Who should read this document: Customers who use 
-> MicrosoftR WindowsR 
-> >-> Impact of vulnerability:  Remote Code Execution Maximum Severity 
-> >-> Rating: Important
-> >-> Recommendation: Customers should install the update at 
-> the earliest 
-> >-> opportunity.
-> >->
-> >->
-> >-> Have downloaded and applied all patches. Installs and 
-> runs fine. (In 
-> >-> nationalized [Finnish language] W2K Pro platform.)
-> >->
-> >-> Happy patching
-> >->
-> >->
-> >-> - Pete
-> >->
-> >->
-> >->                  "Absence of occupation is not rest;
-> >->              A mind quite vacant is a mind distressed."
-> >->               William Cowper (1731-1800); English poet.
-> >->
-> >->
-> >-> _______________________________________________
-> >-> list mailing list
-> >-> list at lists.dshield.org
-> >-> To change your subscription options (or unsubscribe), see: 
-> >-> http://www.dshield.org/mailman/listinfo/list
-> >->
-> >
-> >
-> >_______________________________________________
-> >list mailing list
-> >list at lists.dshield.org
-> >To change your subscription options (or unsubscribe), see:
-> >http://www.dshield.org/mailman/listinfo/list
-> 
-> _______________________________________________
-> list mailing list
-> list at lists.dshield.org
-> To change your subscription options (or unsubscribe), see: 
-> http://www.dshield.org/mailman/listinfo/list
-> 





More information about the list mailing list