For those of you who don't subscribe to NTBugTraq: -----Original Message----- From: Russ [mailto:[EMAIL PROTECTED]] Sent: Friday, October 12, 2001 8:34 AM To: [EMAIL PROTECTED] Subject: MS01-013 revised
-----BEGIN PGP SIGNED MESSAGE----- Numerous people reported seeing MS01-013 show up in HFNetchk scans on their systems as being needed, or "Not Found". They were sure they had applied it. MS01-013 was revised due to what Microsoft calls a "packaging error" in pre-Windows 2000 SP3 fixes. The packaging error is understandable. When MS develops SPs they do a code freeze at a given point in time to ensure the SP doesn't cause errors. From the code freeze date to the release of the SP, MS still issues Hotfixes and PSS QFE fixes as needed. Anything done after the code freeze goes into the next SP. What's not readily understandable is why it has taken 7 months to revise the Hotfix. According to; http://support.microsoft.com/support/kb/articles/Q299/5/49.ASP you must get the revised version of these Hotfixes (assuming you applied the *preliminary*, unfixed, version) to ensure that you do not "cause the loss of some of the fixes that are included in SP2". The KB article states that if you have a pre-SP3 fix dated prior to May 16, 2001, then it is a *preliminary* version and needs to be updated. Check the KB article for the full list of affected fixes (most you never needed). Unfortunately, there doesn't appear to be any details as to what "loss" we may have been seeing during these past 7 months. I had thought that the problems were strictly related to the ability for the next SP to be applied properly, but the KB article seems to suggest other, possibly more important, issues. In addition, the KB article refers to a total of *98* fixes that have been released which contain these packaging errors, any of them potentially causing a "loss of some of the fixes that are included in SP2". On my systems it appears that MS01-013 is the only Security Bulletin that is affected by this, but your mileage may vary. If you find that a Security Bulletin shows up in HFNetchk which you know you have applied, double-check the Microsoft Security Bulletin to see if it was revised due to a packaging error (check the revision history at the bottom of the bulletin). Microsoft are still having problems with their Security Website in that information gets into the XML before it goes onto the Bulletin webpage. Hopefully the Microsoft Security Response Center will provide some clarification as to specifically what sort of "loss of some of the fixes that are included in SP2" we're talking about, and which Security Bulletins are affected. Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.2 iQCVAwUBO8cNfxBh2Kw/l7p5AQHY6gP/b9qZXHfGCIGcmclOtXZZCyz/zQ+DPD9H pgt110xAf8r6tsUqKBfEIfNHiEHRUSLEMp0AkAhQM6BOzMQPEYtCy9vulPSyR1lh YzHfVaIBhUBbBlA+3Vwo7jZLZ6KU1Xsp11jcPgxIHZ1hyQUunhp5by7WBTwVu6uH 9cY8I3SPQ8I= =v034 -----END PGP SIGNATURE----- ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
