+--------------------------------------------. Multiple version problem inside NT Hotfixes . +----------------------------------------------`--------------------+ Hotfixes Affected: MS00-057 MS00-078 MS00-090 . Type : Wrong Version . Date : 3-10-2001 . Product : Microsoft NT Server and workstation . Author: : NtWaK0 www.versalys.com . +-------------------------------------------------------------------+ -----------------------------. NT Hotfixes Version Problem . -------------------------------`------------------------------------. MS00-078: Web Server Folder Traversal Vulnerability MS00-057: File Permission Canonicalization Vulnerability MS00-090: .ASX Buffer Overrun and .WMS Script -------------------. Problem Introduction. ---------------------`----------------------------------------------. MS00-078: Web Server Folder Traversal Vulnerability Microsoft Internet Information Server 4.0 Microsoft Internet Information Services 5.0 Description of vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/MS00-078.asp Patch can be found at http://download.microsoft.com/download/winntsp/Patch/q269862/NT4ALPHA /EN-US/prmcan4i.exe MS00-057: File Permission Canonicalization Vulnerability http://www.microsoft.com/technet/security/bulletin/ms00-057.asp Patch can be found at http://download.microsoft.com/download/winntsp/Patch/q269862/NT4ALPHA /EN-US/prmcan4i.exe As you can see based on Microsoft description you should also run the MS00-057, both both fixes are goes together if you want. That what make both hotfixes affected by the problem. ------------------------------------. Problem detail MS00-078 prmcan4i.exe . --------------------------------------`-----------------------------. The problem is in the files version included in these hotfixes. The hotfix prmcan4i.exe supposed to fix or change these files: asp.dll sspifilt.dll ssinc.dll w3svc.dll Now if we take a look at the file version one by one and compare that to the file contained in the hotfix MS00-060, this hotfixes supposed to be older then MS00-078 and the files inside supposed to be newer then the file contained in MS00-057 and MS00-060 Files inside the prmcan4i.exe MS00-078 : --------------------------------------- HF\NT\prmcan4i>filever asp.dll sspifilt.dll ssinc.dll --a-- W32i DLL ENU 4.2.749.1 shp 330,080 08-03-2000 asp.dll --a-- W32i DLL ENU 4.2.749.1 shp 25,360 08-03-2000 sspifilt.dll --a-- W32i DLL ENU 4.2.749.1 shp 38,256 08-03-2000 ssinc.dll --a-- W32i APP ENU 4.2.749.1 shp 228,496 08-03-2000 w3svc.dll Now let us compare these file with the file contained in the hotfix MS00-060 MS00-060: IIS Cross-Site Scripting Vulnerabilities Description of vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/MS00-060.asp Files inside the crsscri.exe MS00-060 : -------------------------------------- --a-- W32i DLL ENU 4.2.752.1 shp 330,080 10-03-2000 asp.dll --a-- W32i DLL ENU 4.2.752.1 shp 25,360 10-03-2000 sspifilt.dll --a-- W32i DLL ENU 4.2.752.1 shp 38,256 10-03-2000 ssinc.dll --a-- W32i APP ENU 4.2.752.1 shp 229,008 10-03-2000 w3svc.dll AS you can see 4.2.752.1 is > 4.2.749.1 this may lead to a security problem. Since the newwer hotfix it contain older dll's. Second users who are thinking that MS00-078 is newer then MS00-060 they maybe wrong. -----------------------. Second Problem MS00-090 . -------------------------`------------------------------------------. MS00-090: .ASX Buffer Overrun and .WMS Script I did found a problem with this hotfix "wmqfe33955.exe". The file dxmasf.dll in the hotfix (wmqfe33955.exe) is version 6.4.9.1110 but the file on the system is version 6.4.9.1109 and when you run this hotfix it wont update the file, GO figure. I have tried this on 3 different NT boxes and still it did not update the file. I did not get any error while applying the hotfix. Leaving an older file, this will leave your system open to the exploit mentioned on MS00-090. Description of vulnerability can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet /security/bulletin/ms00-090.asp NOTE: Microsoft consider this a technical issue, I do not agree. Since this affect the hotfixes and the hotfixes job is to fix from security problem most of the time. ________________________________________________________________________ The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and i'm not even too sure about that one"--Dennis Huges, FBI. ____________________________________________________________.___________ Live Well Do Good | Je Pense, Donc Je Suis \(|)/ I know I ain't perfect, but i'm 99 point 9 percent :) --(")-- RFCs are meant to be read and followed…:) /`\ NtWaK0 ________________________________________________________________________ -=- Use a computer in a ways that ensure respect for your fellow -=- ¡SJÜ??=?f÷]\¡???½áä«?¢â L??ä:#?"U??a? << My PGP Signature
