Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: MS10-015 re-released SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS10-015 re-released

Microsoft has re-released the patch for MS10-015 (http://blogs.technet.com/msrc/archive/2010/03/02/update-ms10-015-security-update-re-released-with-new-detection-logic.aspx).  Reader Brian noticed that the patch in his WSUS had expired today and correctly surmised that an update was imminent.  

A tool has also been released that will scan machines for compatibility with the new patch.  This is also available from the above link.  

The update will not be applied to systems on which the original patch is already installed. 

Mark

Mark

391 Posts
ISC Handler
Just to be precise:
KB977165 has *NOT* been recompiled or does *NOT* contain any binary changes. The "only" thing MS did is preventing the distribution/installation on "potentially" affected systems which have malware etc. installed. That prevention is done via a detection logic change provided via WSUS/WU/MU/AU, IOW the Windows Update Agent. Downloading KB977165 via DownloadCenter does *NOT* contain any changes and does *NOT* "protect" protentially affected systems from the installation of KB977165 which may lead to "malfunctions" of malware (and therefore may prevent the system to operate as expected) already installed on the system.
Anonymous
Microsoft also created a Fix It Solution which will tell you whether you have the Alureon/TDSS rootkit (they say abnormal condition) that hooks your mass storage driver http://support.microsoft.com/kb/980966/ but as commented in February, the rootkit has been updated so that the rootkit and patch no longer interfere with each other. Microsoft will presumably target the variation of the rootkit better in the March update of the MSRT (Malicious Software Removal Tool), which has previously targeted Alureon/TDSS.
Andrew

41 Posts

Sign Up for Free or Log In to start participating in the conversation!