Threat Level: green Handler on Duty: Russ McRee

SANS ISC: InfoSec Handlers Diary Blog - Microsoft Patching Observations InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Patching Observations

Published: 2006-11-17
Last Updated: 2006-11-18 15:21:21 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
One of our readers applied all of the Microsoft patches that came out on Tuesday, then sent us a rather detailed note about his observations in response to our request for comments.  I sanitized it a bit to remove any personal details, otherwise it is pretty close to what he sent us.  By the way, there's a nice exploit of MS06-070 available on a popular security site in case you need a reason to get your patching done before you go home tonight.


You wanted 'em, you got 'em. Toyota... as the saying goes. Mystifying.

1. 'Went to the MS Update site, which called for 6 priority updates. I added one additional: KB920342 (for P2P). The ones called for as "Priority" updates were listed in this order:
- KB927978 MSXML 4.0 SP2 Security Update
- KB920213 MSAgent (MS06-068)
- KB923980 Netware... (MS06-066) [which is NOT installed on this machine (?)]
- KB924270 Workstation svc... (MS06-070)
- KB922760 IE[6?] (MS06-067)
- IEv7...

- KB920342 P2P (...the "extra" one I choose. Duh. 'Like I wasn't going to have enough trouble already.)
-----------------------------------------------------
2. They installed themselves in this order as I watched it, as I thought the MS Update site would prioritize them in the correct order (...duh, again.):
- KB920342 P2P
- IEv7 (...which, of course, you have to help with the prompts, the "OK" for WGA, etc.)
- KB920213 MSAgent (MS06-068)
- KB923980 Netware... (MS06-066)
- KB924270 Workstation svc... (MS06-070)
- KB922760 IE[6?] (MS06-067)
- KB927978 MSXML 4.0 SP2 Security Update ...then REBOOT, of course.
-----------------------------------------------------
3. After rebooting, went back to the Admin account (1 of 2 on this XP Home PC), tweaked IE7 a bit, found that it had installed this annoying "Language Toolbar", which I disabled via its own control options. OK, 'looks fairly clean.
'Went back and let MS Update check again, just to make sure I hadn't missed anything - 'looks good; checked the PC's "Update History", which I also printed ('glad I saved that). 'Cleaned up the temp files from the installs using "Easy Cleaner". 'Seemed like it did its' usual good job. Logged off the Admin account and went to check on the LUA accounts on this PC (4 of them). Dang it! The dopey "Language Toolbar" was installed on EVERY one of the LUA accounts - disabled them via the toolbar's own control options. 'Tweaked/checked settings in IE7, just like I had in the Admin account. Ahhh, 'seems like we're ready to go; wrong.
Now, I have an "extra" service running that I didn't before - "ctfmon.exe", even in ALL the LUA accounts.
- The "ctfmon.exe" (from MSOfficeXP, supposedly) info can be found at KB326526 and KB282599, and probably others. I am NOT going to jump through all the hoops listed in those articles - and I shouldn't have to call the MS eternal wait phone to get a hotfix for this. 'Not even sure it would fix the startup of that service, which -was not- starting before I did this bunch of patches. I found out I can "kill" this service using any number of utilities available, but it returns with just a logoff/logon, and of course with a reboot. WTF?
- Ran MSCONFIG from an Admin account, and saw that I could eliminate the startup of "ctfmon.exe"; did so. rebooted, and it stuck itself back in the startups again. Dang it! Blowing away the registry item (Run) MIGHT take care of it, but it might give me a BSOD, too. WTF?
- In running MSCONFIG, I also noted there was yet another new service started called "Remote Packet Protocol Capture (Experimental v0)" added, which I disabled, and it appears to stay that way (whew!). WTF?*
-----------------------------------------------------
Chapter 4 (now part of an "MS Updates for Dummies" book coming your way any day now). Further checking in the Control Panel led to more frustration and mysery - the list of patches supposedly shown under "Add/Romove programs" does NOT list "KB927978 MSXML 4.0 SP2 Security Update" on the list. Had I not -saved- the MS Update site's "Update History", I would be babbling in my sleep, but since I did, I know it installed because I watched it do so, -and- I have that list of the updates I let it install on 11.15.2006.
So, I did a KB search @ http://support.microsoft.com/search/?adv=1 to look for KB927978; 'tried that several times today and got "...not found" and "The Knowledge Base (KB) is currently not available". ARRGGHH!
-----------------------------------------------------
"Do not forget to report such trouble back to Microsoft as well..." - why? They really don't give a hoot.

I guess I'm lucky that the machine is still running at all, but all my forensic skills went in the dumper today, it seems. 'Just one of those days, I guess. I'm going to bed now, after a few Jameson's...

Wow.  Just when you thought patching was getting easier.  Thanks again, Reader, for your comments and thoughts!

Marcus H. Sachs
SANS Internet Storm Center

*Note: Two readers have already reported in that the "Remote Packet Protocol Capture (Experimental v0)" is typically installed with WinPCap.
Keywords:
0 comment(s)
Diary Archives