RE: MS03-007 Round-up

From: Dozal, Tim <tdozal(at)cisco.com>
Date: Mon Mar 24 2003 - 18:45:14 EST

This should clear things up:

ntoskrnl.exe versions 5.0.2195.4797 to 5.0.2195.4928 are not compatible with versions of ntdll.dll that are greater than 5.0.2195.4797.

If a you apply a hotfix that only updates to one of those binaries, the two binaries will now be in a 'mismatched' state and the machine will blue screen after rebooting for the first time.

If you are running Win2K SP2 and the ntoskrnl.exe file version is between is 5.0.2195.4797 and 5.0.2195.4928 you can get a STOP 0x00000071 on the first reboot after applying the patch.

Ensure that the ntoskrnl.exe file version is greater than or equal to 5.0.2195.4929 or apply Win2k SP3 before applying MS03-007.

MS also just released this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;815021

Cheers,
Tim

-----Original Message-----

From: Chris Gallimore [mailto:ChrisG@concur.com] Sent: Monday, March 24, 2003 9:06 AM
To: Dozal, Tim; Marc Fossi; Focus-MS
Subject: RE: MS03-007 Round-up  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That's not always the case; my company has over 200 sp2 web servers that are all running this patch and not a single one had an issue with it.

• -----Original Message----- From: Dozal, Tim [mailto:tdozal@cisco.com] Sent: Friday, March 21, 2003 4:38 PM To: Marc Fossi; Focus-MS Subject: RE: MS03-007 Round-up

As far as our groups have been able to tell, the problems caused by this patch are related to the dependencies of 4 .dll files and this patch replaces ONE of those .dll files. In order to avoid the blue screens you need to first patch your system with Win2k SP3 since the updated .dll file in the MS03-007 patch was designed to work with the other .dll files from W2k SP3. If you do not have SP3 as I understand it you WILL get a blue screen on reboot.

Hope that helps.

• -Tim
• -----Original Message----- From: Marc Fossi [mailto:mfossi@securityfocus.com] Sent: Wednesday, March 19, 2003 12:55 PM To: Focus-MS Subject: MS03-007 Round-up

Hey folks,

I think that we've pretty much established that this patch does cause problems on some systems and not on others. Seems to be about 50/50 judging from the posts.

At this point I'm not going to approve any more posts about it unless someone offers conclusive evidence as to what the problem is or a remedy. I know that there are MS people subscribed to the list and their silence on this says to me that they are aware that there is a problem (though it would be nice to actually hear it from them).

On a side note, the bulletin has been updated with some info about a possible conflict with a prior hotfix released by PSS. Check out the FAQ in the bulletin. Not sure if this covers everyone who reported problems with the patch or if there are additional issues there.

Marc Fossi
Symantec Corp.
www.symantec.com

• ---------------------------------------------------------------------- ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data! It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! http://www.spidynamics.com/mktg/sqlinjection33
• ---------------------------------------------------------------------- ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data! It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! http://www.spidynamics.com/mktg/sqlinjection33

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.1

iQA/AwUBPn86yfX/3fXjg2cjEQL8LgCgkOA2hgcr71jZMj3Rc9ggK8gB+a8AoK23 Q87BiCBJKblZMclCMCK2Oaha
=/8OV
-----END PGP SIGNATURE-----

---

Get serious about enterprise anti-spam management. SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers of technology to defeat spam with accuracy. Download a free 30-day trial: http://www.surfcontrol.com/go/zsfmsl1 Received on Tue Mar 25 13:15:02 2003