SANS ISC: August 2010 Micrsoft Black Tuesday Summary

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

I'm getting Code 80070643, unknown error, when I try to install KB2183461 on a relatively fresh install of Windows 7 Professional 32-bit.

MS010-46 is listed in MS's August rollout, even though it was released last week. You might want to provide current intel on that in your table here, for those that haven't applied it yet, since it is publically disclosed and active.

I was able to install all updates except KB2183461, KB983590 and KB978886 (on Win 7 32bit). KB978886 actually did install but on reboot my network failed with "The TCP/IP Protocol Driver service failed to start due to the following error: The system cannot find the file specified." in the event log. I had to uninstall from the command line to get it to work (Windows Updates in control panel would not show the previously installed updates...)

The other 2 updates would not install at all and gave me the error I reported above, ie. 80070643, unknown error.

At the moment I guess nobody else is seeing this so it must be somewhat rare... but if someone does come across this, the solution was (from CMD): wusa.exe /uninstall /kb:<KB Number> (that is, 978886.

@jevansts

For the Windows Updater issues either post to the Windows Update forum
http://social.answers.microsoft.com/Forums/en-US/vistawu/threads
or, since they are all Security updates, contact MS for *no-charge* support for getting them installed and troubleshooting compatibility -
" How to obtain help and support for this security update
For home users, no-charge support is available by calling 1-866-PCSAFETY in the United States and Canada or by contacting your local Microsoft subsidiary. For more information about how to contact your local Microsoft subsidiary for support issues with security updates, visit the Microsoft International Support website:
http://support.microsoft.com/common/international.aspx?rdpath=4
North American customers can also obtain instant access to unlimited no-charge email support or to unlimited individual chat support by visiting the following Microsoft website:
http://support.microsoft.com/oas/default.aspx?&prid=7552
For enterprise customers support for security updates is available through your usual support contacts. "

Hi,

I'm wondering why MS10-049 (SChannel) is Important for Clients and Critical for Servers when from everything I can work out it's a Client-Side Vuln.? What am I missing?

Also, there's been exploit code released for MS10-054 as of the 10th:
http://www.exploit-db.com/exploits/14607/

After patching and rebooting some of the 2003 and 2008 servers here we had a DNS server failure. It would not resolve addresses. Another reboot seemed to fix things.

-Al

@david, A server can act as a client too. (although not recommended)

-049 is critical for servers because it finally includes the fix for the TLS/SSL renegotiation issue from last Nov for IIS 6 & 7. It appears that PoC's exist for -051 and -054 as well, we probably won't update the table again, but will do new diary entries if we start seeing this vulnerabilities being exploited in the wild.

so why Important for Clients but Critical for Servers? Especially seeing how it's RCE with SYSTEM privs for clients (from a shady memory)

I have a question regarding last month's MS OFFICE SP1 end of life.

Do I need to assume Office SP1 is also vulnerable (Word vulnerability)?
Microsoft has omitted to state this in its bulletin, probably because they no longer offer patches for SP1.
If someone could clarify this point it would be quite useful.

Sugata: Which version of Office are you referring too? I'm assuming if they are not listed in the bulletin, they are most likely vulnerable.

I am referring to the EOL announced last month Office 2007 SP1 see link

http://support.microsoft.com/lifecycle/?p1=8753

I would assume Office 2007 SP1 is also vulnerable, not just SP2

-057 only applies to Office XP and Office 2003 (I should have made that more clear in the table, I suppose). I think it is safe to say that -057 also affects Office 2007 SP1, but since that is past EOL, Microsoft will never mention it again.

that should have read -056 also affects Office 2007 SP1...

What in your opinion are the odds that we will see expoits in the wild sooner than later?

KB for MS10-056 is KB2269638 not KB2269707