Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows :: ciacl041.htm

Microsoft Hotfix Packaging Anomalies



Microsoft Hotfix Packaging Anomalies Privacy and Legal Notice

CIAC INFORMATION BULLETIN

L-041: Microsoft Hotfix Packaging Anomalies

February 5, 2001 21:00 GMT

PROBLEM: Post Service Pack 1 hotfix system catalogs were built with same version numbers as older versions.
PLATFORM: MS Windows 2000: Post Service Pack 1 hotfixes issued prior to December 19, 2000.
DAMAGE: Newer hotfixes could be overwritten or otherwise replaced with older versions. Thus, systems could be open to vulnerabilities considered patched.
SOLUTION: Run the diagnostic tool, QFECHECK.EXE (link provided), and apply (re-apply) appropriate patches.

VULNERABILITY
ASSESSMENT:
LOW: Few potentially affected hotfixes have been released; also, patches had to be installed in non-sequential order.

[******  Microsoft Security Bulletin Starts Here ******]

Microsoft Security Bulletin (MS01-005)

Tool and Patch Available to correct Hotfix Packaging Anomalies

Originally posted: January 30, 2001

Summary

Microsoft has released a tool and patch that allow customers to diagnose
and eliminate the effects of anomalies in the packaging of hotfixes for
English language versions of Microsoft(r) Windows 2000. Under certain
circumstances, these anomalies could cause the removal of some hotfixes,
which could include some security patches, from a Windows 2000 system.
Frequently asked questions regarding this vulnerability and the patch can
be found at:
http://www.microsoft.com/technet/security/bulletin/fq01-005.asp

Issue

Microsoft packages all Windows 2000 hotfixes (including security patches)
with a catalog file that lists all of the valid hotfixes that have been
issued to date. The catalog is digitally signed to ensure its integrity,
and Windows File Protection uses the signed catalog to determine which
hotfixes are valid. An error in the production of the catalog files for
English language Windows 2000 Post Service Pack 1 hotfixes made available
through December 18, 2000 could, under very unlikely circumstances, cause
Windows File Protection to remove a valid hotfix from a system. The removal
of a hotfix could cause a customer's system to revert to a version of a
Windows 2000 module that contained a security vulnerability.

Windows File Protection will only remove valid hotfixes from a Windows 2000
system under a very restrictive set of circumstances. The system administrator
would have to have applied multiple hotfixes in an order other than that in
which Microsoft produced and packaged them. Furthermore, Windows File
Protection would only remove hotfixes from a system if it were run explicitly
(by running sfc/scannow for instance) or triggered by some administrator
action (such as specifying that it be invoked under a group policy).

Affected Software Versions

        * Microsoft Windows 2000 Professional
        * Microsoft Windows 2000 Server
        * Microsoft Windows 2000 Advanced Server

Patch Availability

        * Diagnostic tool:
          http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27333
        * Microsoft Windows 2000 Gold:
          http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27332
        * Microsoft Windows 2000 SP1:
          http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27330

Note Additional security patches are available at the Microsoft Download Center

More Information

Please see the following references for more information related to this issue.

        *  Frequently Asked Questions: Microsoft Security Bulletin MS01-005,
           http://www.microsoft.com/technet/security/bulletin/fq01-005.asp
        *  Microsoft Knowledge Base (KB) article Q281767,
           http://www.microsoft.com/technet/support/kb.asp?ID=281767 discusses
           this issue.
        *  Microsoft Knowledge Base (KB) article Q282784,
           http://www.microsoft.com/technet/support/kb.asp?ID=282784 discusses
           the tool.

*  Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp

Obtaining Support on this Issue

This is a fully supported patch. Information on contacting Microsoft Product
Support Services is available at:
http://support.microsoft.com/support/contact/default.asp.

Revisions

        * January 30, 2001: Bulletin Created.

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY
OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION
MAY NOT APPLY.

[******  Microsoft Security Bulletin Ends Here ******]


CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH