Been reading the additional encouragements to make sure we have all patched our Windows here: http://www.landzdown.com/index.php?topic=8341.0#top (http://www.landzdown.com/index.php?topic=8341.0#top)
and other news, including Homeland Defense making a press release concerning MS06-040 here: http://www.dhs.gov/dhspublic/display?content=5789 (http://www.dhs.gov/dhspublic/display?content=5789)
including the part, "Customers who believe they have been attacked should contact their local FBI office or report their situation to www.ic3.gov . Customers outside the U.S. should contact the national law enforcement agency in their country," from here: http://www.microsoft.com/technet/security/...ory/922437.mspx (http://www.microsoft.com/technet/security/...ory/922437.mspx)
Question #1: The part about, customers who believe they've been attacked...they mean if some scanner or security expert tells you based on reviewing their logs, that they are infected by Win32/Graweb, they are to contact their local FBI?
Question #2: What means are ppl using to confirm you have this particular patch? It says in the MS Advisory 922437 (link above) that:
"Customers who have installed the MS06-040 security update are not affected by this vulnerability."
In my Windows folder there is no MS06-040 listed. All my Windows updates are KB's w/ different numbers. The KB# that corresponds w/ MS06-040 is 921883, right? There is also a corresponding Windows log for each of the KB numbered updates.
So, the way I have confirmed I have it, is 2 ways. Go to Windows Update or Microsoft Updates, have MS scan my puter and if it doesn't say I need it, I have it. BUT, I also look in my Windows folder & look to see that I have the ones listed on the release bulletin each month.
Question #3: The Windows logs in my Windows folder that correspond w/ each Update...I have never looked at one til now, starting w/ the KB 921883 Update log. I assumed at the end of that log it would say something like sucessful install...or some keyword like it that confirms I have that one. Instead I see words like, "cab does not exist...update.ver file is not correct...towards the beginning of the log, and ending with re-boot necessary, w/ alot inbetween I don't understand. Is this log helpful to me, in other words, keep them and not delete them? Review of a 5-6 of these ends in "re-boot necessary." Are those the magic keywords that mean patch confirmed? I am assuming these logs thus serve another purpose than to advise me of a sucessful install?
The logs help in the event an update isn't installing. Product Support Services can use the logs' information when trying to see what is occurring.
When you're using Windows Update / Microsoft Update, there should be a summary page that states which patches applied successfully and which failed. I think they use green and red text, respectively, for writing that out.
If there's any doubt on whether or not the patch installed successfully, in North America, please feel free to call Product Support Services at 866-PC-SAFETY, and international customers can utilize any method found at http://support.microsoft.com/security.
Aaron
Quote from: AaronThe logs help in the event an update isn't installing. Product Support Services can use the logs' information when trying to see what is occurring.
Good, that answers question #3.
Quote from: AaronWhen you're using Windows Update / Microsoft Update, there should be a summary page that states which patches applied successfully and which failed. I think they use green and red text, respectively, for writing that out.
And this answers question #2. I can go to MS & they will let me know if I have the current updates. Your best way to confirm whether you have the latest HIGH PRIORITY Updates.
Still wondering about question #1...but in the meantime...came up with a 4th question :)
This may also help with Question 2:
Source:
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspxPath: Expand "Security Update Information" | Expand "Windows XP (all versions)"
Quote
Verifying that the Update Has Been Applied
• Microsoft Baseline Security Analyzer
To verify that a security update has been applied to an affected system, you can use the Microsoft Baseline Security Analyzer (MBSA) tool. MBSA allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.
• File Version Verification
Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
1. Click Start, and then click Search.
2. In the Search Results pane, click All files and folders under Search Companion.
3. In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.
4. In the list of files, right-click a file name from the appropriate file information table, and then click Properties.
Note Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.
5. On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.
Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.
• Registry Key Verification
You may also be able to verify the files that this security update has installed by reviewing the following registry keys.
For Windows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP Tablet PC Edition, Windows XP Media Center Edition, Windows XP Home Edition Service Pack 2, Windows XP Professional Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows XP Media Center Edition 2005:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB921883\Filelist
For Windows XP Professional x64 Edition:
Note These registry keys may not contain a complete list of installed files. Also, these registry keys may not be created correctly if an administrator or an OEM integrates or slipstreams the security update into the Windows installation source files.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP2\KB921883\Filelist
Quote from: Aaron Hulett MSFTYou may want to switch to Microsoft Update via http://update.microsoft.com/microsoftupdate. It provides the same updates to Microsoft Windows that you already receive via Windows Update, but also updates other items, such as Microsoft Office 2003 which you appear to be running.
(quote from a different thread)
Aaron, I am
so glad you posted this. I started to post a question concerning my recent experience in August bouncing between multiple Update links at MS...but then shyed away cuz I've posted enough questions about August MS Updates.
BUT...I have for many months been set for auto updates with Windows Update page...maybe 5 or 6 months.
I switched to Notify, rather than Auto just a bit ago, cuz of my dial-up connection AND my comittment to manually check on the second Tuesday of each month when MS updates are scheduled to be released. But reviewing the Security Bulletins from MS last month and this month, I have been bouncing between Windows Update page/and their scanner & Office Update/their scanner.
This month I "noticed" <has this always been there?...how long has that been there?> ANOTHER 3rd option:
Microsoft Updates,and clicked on it. Scan took a bit longer ( I guess expected if this scans OS, Office, Other MS products), but NOW when I choose this path IE>Tools>Interenet Options>Windows Update, it goes to Microsoft Update, instead of Windows Update like it did before.
So this will be my question #4: If you are on Automatic Updates, are you by default taken to Windows Update or Microsoft Update? I assume Windows Update. But if you want to be Microsft Update for Auto Updates, which seems smart from a security aspect given the the high priority updates that include MS products not included in Windows OS Updates in the last few months, how do you "switch"?"
Regarding Question 1:
Source: http://www.microsoft.com/technet/security/advisory/922437.mspx
QuoteCustomers who believe they have been attacked should contact their local FBI office or report their situation to www.ic3.gov. Customers outside the U.S. should contact the national law enforcement agency in their country
Source: Same
Path: Expand "Suggested Actions"
QuoteCustomers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country.
This is what the advisory is suggesting at this time.
Thanks,
Aaron
When you switch to Microsoft Update, the Automatic Updates functionality also switches, so you'll receive Windows, Office, and SQL updates (those are the three I know are on Microsoft Update, there may be addiitonal items) via Automatic Updates. Additionally, your shortcuts to Windows Update will redirect to Microsoft Update automatically.
Here's some additional information:
Microsoft Knowledge Base Article 901260
You visit the Microsoft Update Web site instead of the Windows Update Web site
http://support.microsoft.com/kb/901260/
Microsoft Knowledge Base Article 901037
How to enable and to disable Microsoft Update
http://support.microsoft.com/kb/901037/
Microsoft Update
Frequently Asked Questions
http://update.microsoft.com/microsoftupdate/v6/about.aspx
Hope that helps. Feel free to post any follow up questions you may have.
Aaron
I figured I should note this before I forget. There should be information on confirming the update has applied successfully, such as information the update places in the registry, and the file versions and times of any changed files, within the Security Bulletin. For an example, using the Security Bulletin I linked above (http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx), if you expand "Security Update Information" followed by your version of Microsoft Windows, you'll see a File Information section which lists the file attributes of updated files, with their times based on UTC.
To explain file times better, let's say you're in the Pacific Time zone. Pacific Time is 8 hours behind GMT / UTC, and as such, when I look in the Date and Time Properties area, I see "GMT -8:00".
As an example, I'll take the file listed in that Security Bulletin, which will be one of these three for x86:
QuoteFile Name Version Date Time Size CPU Folder
Netapi32.dll
5.1.2600.1874
14-Jul-2006
15:53
307,200
x86
SP1QFE
Netapi32.dll
5.1.2600.2952
14-Jul-2006
15:31
332,288
x86
SP2GDR
Netapi32.dll
5.1.2600.2952
14-Jul-2006
15:41
336,896
x86
SP2QFE
Looking on my local machine's System32 folder, I see netapi32.dll has these properties:
Version: 5.1.2600.2952
Modified: Friday, July 14, 2006, 8:31:39 AM
Size: 324 KB (332,288 bytes)
Looking above, I see the second one appears to be what I have. That second one shows a modified time of 15:31. If I take that, subtract 8 from it to go from GMT/UTC to Pacific Time, then add an hour (Daylight Saving Time) I get 15:31 (or 3:31 PM GMT) - 8 + 1 = 8:31 AM PDT, which is in line with my local file's properties. This file was patched successfully.
HTH,
Aaron
Aaron,
Thank you sooo much for taking the time to answer my questions and
more. :thanks:
When I talk to ppl about making sure they have their Windows Updates I always add 3 final words:
GIT-ER-DUN
You're very welcome. Thanks for using Microsoft products, and for spreading the word on the importance of updating. :)
Aaron