From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Wed Apr 10 2002 - 18:08:12 MDT
Warning: Microsoft silently changes security patches. Even if you
think you have installed the recommended security patch from Microsoft,
they may have changed its contents since you downloaded it.
The e-mail below notes two such occurrences.
We have also received similar reports from people who have tried to
automate a notification system to tell them when Microsoft releases a
new patch. They began getting notifications for old patches that had
already been released. Further investigation showed that Microsoft had
edited the contents of older patches without documenting the change.
Similar instances have plagued people who try to detect when websites
change. The online links and descriptions of Microsoft patches changes
without warning for older patches.
A comparison of these changes with the original downloads show that the
changes can occur in the content, instructions or description of the
patch. Microsoft never documents the changes, or warns that a different
version of the patch has been released. It is almost as if they are
trying to edit files historically, so that it appears that the old
patches always contained their present contents.
Now we have the confusing situation where any given download of a
Microsoft patch may or may not match other downloads of the same patch.
A company that downloads and patches all their computers may end up with
different software on different machines. A technician who tests a
patch in one environment and then goes to implement it into production
may not implement the same patch as tested. Reviewers who report
success or problems with a patch may not be describing the same patch
that their customers later receive. It may even become necessary to
re-download and re-try patches that fail on the off-chance that
Microsoft has changed them without warning or documentation.
Begin forwarded message:
From: Francis Favorini <francis.favorini@DUKE.EDU>
Date: Wed Apr 10, 2002 04:34:35 pm US/Eastern
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: MS silently changing security patches
Reply-To: Francis Favorini <francis.favorini@DUKE.EDU>
Hi,
Just thought I'd pass this along. Microsoft has silently changed
the patch in MS02-008 (at least the MSXML 3.0 version). The old patch I
downloaded on 2/22/02 had version 8.20.9307.0 of msxml3.dll. The
version I
downloaded today has version 8.20.9415.0. There is no indication in the
security bulletin that anything has changed. HFNetChk alerted me that
the
file version did not match.
The same thing happened last month with MS02-009. The patch
silently changed, although the bulletin did get updated later. It's
possible that this is simply due to a delay in the revised bulletin
getting
propagated to all the web servers. I hope this is the case.
On a semi-related note, does anyone know why HFNetChk complains
that
MS02-016 is not applied to a Win2K server that is not a domain
controller?
Is it just because it can't identify DC's, or is there some reason to
apply
it?
-Francis
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:13:24 MST