|
|
| PROBLEM: | Post Service Pack 1 hotfix system catalogs were built with same version numbers as older versions. |
| PLATFORM: | MS Windows 2000: Post Service Pack 1 hotfixes issued prior to December 19, 2000. |
| DAMAGE: | Newer hotfixes could be overwritten or otherwise replaced with older versions. Thus, systems could be open to vulnerabilities considered patched. |
| SOLUTION: | Run the diagnostic tool, QFECHECK.EXE (link provided), and apply (re-apply) appropriate patches. |
| VULNERABILITY ASSESSMENT: | LOW: Few potentially affected hotfixes have been released; also, patches had to be installed in non-sequential order. |
[****** Microsoft Security Bulletin Starts Here ******]
Microsoft Security Bulletin (MS01-005)
Tool and Patch Available to correct Hotfix Packaging Anomalies
Originally posted: January 30, 2001
Summary
Microsoft has released a tool and patch that allow customers to diagnose
and eliminate the effects of anomalies in the packaging of hotfixes for
English language versions of Microsoft(r) Windows 2000. Under certain
circumstances, these anomalies could cause the removal of some hotfixes,
which could include some security patches, from a Windows 2000 system.
Frequently asked questions regarding this vulnerability and the patch can
be found at:
http://www.microsoft.com/technet/security/bulletin/fq01-005.asp
Issue
Microsoft packages all Windows 2000 hotfixes (including security patches)
with a catalog file that lists all of the valid hotfixes that have been
issued to date. The catalog is digitally signed to ensure its integrity,
and Windows File Protection uses the signed catalog to determine which
hotfixes are valid. An error in the production of the catalog files for
English language Windows 2000 Post Service Pack 1 hotfixes made available
through December 18, 2000 could, under very unlikely circumstances, cause
Windows File Protection to remove a valid hotfix from a system. The removal
of a hotfix could cause a customer's system to revert to a version of a
Windows 2000 module that contained a security vulnerability.
Windows File Protection will only remove valid hotfixes from a Windows 2000
system under a very restrictive set of circumstances. The system administrator
would have to have applied multiple hotfixes in an order other than that in
which Microsoft produced and packaged them. Furthermore, Windows File
Protection would only remove hotfixes from a system if it were run explicitly
(by running sfc/scannow for instance) or triggered by some administrator
action (such as specifying that it be invoked under a group policy).
Affected Software Versions
* Microsoft Windows 2000 Professional
* Microsoft Windows 2000 Server
* Microsoft Windows 2000 Advanced Server
Patch Availability
* Diagnostic tool:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27333
* Microsoft Windows 2000 Gold:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27332
* Microsoft Windows 2000 SP1:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27330
Note Additional security patches are available at the Microsoft Download Center
More Information
Please see the following references for more information related to this issue.
* Frequently Asked Questions: Microsoft Security Bulletin MS01-005,
http://www.microsoft.com/technet/security/bulletin/fq01-005.asp
* Microsoft Knowledge Base (KB) article Q281767,
http://www.microsoft.com/technet/support/kb.asp?ID=281767 discusses
this issue.
* Microsoft Knowledge Base (KB) article Q282784,
http://www.microsoft.com/technet/support/kb.asp?ID=282784 discusses
the tool.
* Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft Product
Support Services is available at:
http://support.microsoft.com/support/contact/default.asp.
Revisions
* January 30, 2001: Bulletin Created.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY
OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION
MAY NOT APPLY.
[****** Microsoft Security Bulletin Ends Here ******]
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
World Wide Web: http://www.ciac.org/
http://ciac.llnl.gov
(same machine -- either one will work)
Anonymous FTP: ftp.ciac.org
ciac.llnl.gov
(same machine -- either one will work)