__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Hotfix Packaging Anomalies February 5, 2001 20:00 GMT Number L-041 ______________________________________________________________________________ PROBLEM: Post Service Pack 1 hotfix system catalogs were built with same version numbers as older versions. PLATFORM: MS Windows 2000: Post Service Pack 1 hotfixes issued prior to December 19, 2000. DAMAGE: Newer hotfixes could be overwritten or otherwise replaced with older versions. Thus, systems could be open to vulnerabilities considered patched. SOLUTION: Run the diagnostic tool, QFECHECK.EXE (link provided), and apply (re-apply) appropriate patches. ______________________________________________________________________________ VULNERABILITY LOW: Few potentially affected hotfixes have been released; ASSESSMENT: also, patches had to be installed in non-sequential order. ______________________________________________________________________________ [****** Microsoft Security Bulletin Starts Here ******] Microsoft Security Bulletin (MS01-005) Tool and Patch Available to correct Hotfix Packaging Anomalies Originally posted: January 30, 2001 Summary Microsoft has released a tool and patch that allow customers to diagnose and eliminate the effects of anomalies in the packaging of hotfixes for English language versions of Microsoft(r) Windows 2000. Under certain circumstances, these anomalies could cause the removal of some hotfixes, which could include some security patches, from a Windows 2000 system. Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq01-005.asp Issue Microsoft packages all Windows 2000 hotfixes (including security patches) with a catalog file that lists all of the valid hotfixes that have been issued to date. The catalog is digitally signed to ensure its integrity, and Windows File Protection uses the signed catalog to determine which hotfixes are valid. An error in the production of the catalog files for English language Windows 2000 Post Service Pack 1 hotfixes made available through December 18, 2000 could, under very unlikely circumstances, cause Windows File Protection to remove a valid hotfix from a system. The removal of a hotfix could cause a customer's system to revert to a version of a Windows 2000 module that contained a security vulnerability. Windows File Protection will only remove valid hotfixes from a Windows 2000 system under a very restrictive set of circumstances. The system administrator would have to have applied multiple hotfixes in an order other than that in which Microsoft produced and packaged them. Furthermore, Windows File Protection would only remove hotfixes from a system if it were run explicitly (by running sfc/scannow for instance) or triggered by some administrator action (such as specifying that it be invoked under a group policy). Affected Software Versions * Microsoft Windows 2000 Professional * Microsoft Windows 2000 Server * Microsoft Windows 2000 Advanced Server Patch Availability * Diagnostic tool: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27333 * Microsoft Windows 2000 Gold: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27332 * Microsoft Windows 2000 SP1: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27330 Note Additional security patches are available at the Microsoft Download Center More Information Please see the following references for more information related to this issue. * Frequently Asked Questions: Microsoft Security Bulletin MS01-005, http://www.microsoft.com/technet/security/bulletin/fq01-005.asp * Microsoft Knowledge Base (KB) article Q281767, http://www.microsoft.com/technet/support/kb.asp?ID=281767 discusses this issue. * Microsoft Knowledge Base (KB) article Q282784, http://www.microsoft.com/technet/support/kb.asp?ID=282784 discusses the tool. * Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp Obtaining Support on this Issue This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp. Revisions * January 30, 2001: Bulletin Created. THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. [****** Microsoft Security Bulletin Ends Here ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-031: Sun AnswerBook2 Vulnerability L-032: Class Loading Vulnerability in Sun Java (TM) Runtime Environment L-033: Sun Java Web Server Vulnerability L-034: HP Security Vulnerability in man(1) Command L-035: HP-UX Support Tools Manager Vulnerability L-036: FreeBSD procfs Vulnerabilities L-037: FreeBSD periodic Uses Insecure Temporary Files L-038: FreeBSD inetd ident Server Vulnerability L-039: FreeBSD sort Uses Insecure Temporary Files L-040: The Ramen Worm