[<prev] [next>] [day] [month] [year] [list]
Message-ID: <41B1FD84D49E05448A4233378E6BF475163C3C@entmsgnt03.fm.frd.fmlh.edu>
From: jheidtke at fmlh.edu (Jerry Heidtke)
Subject: RE: Probable new MS DCOM RPC worm for Windo ws
No one is going to manually touch 2000+ machines (unless you're a
consultant and you get paid by the hour). That's why there're tools to
check whether the file properties are correct for a particular hot fix.
For example, Microsoft Baseline Security Analyzer (free), GFI Languard
Network Security Scanner (inexpensive), Shavlik HFNetcheckPro
(expensive), and Microsoft SMS (with SU feature pack) (very expensive)
will all do file version and/or checksum calculations to verify that a
particular file is what should be there to consider a patch to be
installed. Some of these will even automatically deploy the patches to
machines that are missing them. Many other tools do the same thing.
(let's not get into a flame war about the pros and cons of any
particular tool).
While we have other decent tools available to check whether a patch has
been correctly applied to this particular vulnerability that don't
depend on file versions, for most patches the only reliable way to
confirm if a patch has been applied is to check the physical files.
If you're not going to verify that a patch is correctly installed
through _some_ method, you're being negligent. To answer your question,
yes, if you're a responsible professional.
Jerry
-----Original Message-----
From: Schmehl, Paul L [mailto:pauls@...allas.edu]
Sent: Friday, September 26, 2003 9:33 AM
To: full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for
Windo ws
> -----Original Message-----
> From: Gary Flynn [mailto:flynngn@....edu]
> Sent: Friday, September 26, 2003 8:06 AM
> To: 'full-disclosure@...ts.netsys.com'
> Subject: Re: [Full-Disclosure] RE: Probable new MS DCOM RPC
> worm for Windo ws
>
>
> I would think a better way of determining if a patch is
> actually installed on a system is by examining the files on
> the system rather than to depend upon symptoms (scanners) or
> installation logs (registry entries).
True, but *I'm* not going to physically touch (or even virtually touch)
2000+ machines looking at file properties. Are you?
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.
Powered by blists - more mailing lists