RE: Microsoft Security Bulletin MS01-030
I was a brave soul and did install it (rev3). I figured the third time may be a charm (I never installed the first 2 mind you, just lucky I guess being too busy to install the first 2 the second they came out). It seems to be ok, even though on the reboot it took a "scary" amount of time to come back. If it happens to you, just be patient. It took about 5-7 minutes to boot back into the desktop. Store has not been pegged and the IMS is delivering mail. This is not to say though that this patch is ok. I have not reproduced the same symptoms on this release as the other poor souls did. I still need to test against the vulnerability to make sure it is patched. Platform: win2k with sp2, exch 5.5 w/sp4 But as with everything, make sure you have a good backup before installing. You can never be too safe. good luck Mike Morell
Re: Microsoft Security Bulletin MS01-030
John Hanks wrote: > > Does anyone know if a third version is in the works or if I should keep > trying to make the second version work on my machines? MS just released version 3 of that Security Bulletin, with a 3rd "official" version of the patch for W2K. Again, the URL for the bulletin is here: http://www.microsoft.com/technet/security/bulletin/MS01-030.asp Under "technical description", it includes this new paragraph: On June 12, 2001 Microsoft discovered that the updated Exchange 2000 patch contained outdated files. We have corrected the error and provided an updated version of this patch for Exchange 2000. We recommend that all customers who have downloaded the Exchange 2000 patch prior to June 12, 2001 install the updated version. At this point, I'd be hesitant to install -any- patch on this issue, until some brave souls have verified that the third time really is a charm. Looks like they rushed it a bit too much this time, unfortunately. I would personally advise any exchange admin to subscribe to the MS Security Bulletin mailing list, in order to get this type of info as quickly as possible. Information is here: http://www.microsoft.com/technet/security/notify.asp
RE: Microsoft Security Bulletin MS01-030
Microsoft has just released another updated version of this patch. According to the bulletin (http://www.microsoft.com/technet/security/bulletin/MS01-030.asp), they discovered that some outdated files were inadvertantly placed in the first updated patch, and this patch fixes that problem. We haven't tried to install this third attempt, so I can't verify that it works correctly. Paul L. Schmehl, [EMAIL PROTECTED] http://www.utdallas.edu/~pauls/ Supervisor, Support Services The University of Texas at Dallas AVIEN Founding Member
RE: Microsoft Security Bulletin MS01-030
The updated patch still had problems on my server. Here is my take on the patches. After installing the patches this happened: First Patch: Mail began to accumulate in SMTP local delivery queue. When an attempt to connect and deliver was made, STORE.EXE took both CPUs to 100% and hung there. Updated Patch: Mail began to accumulate in SMTP local delivery queue. When an attempt to connect and deliver was made, STORE.EXE took one CPU to 100% and hung there. My remedies: First Patch: Uninstalled the patch, reinstalled exchange, installed relevant hotfixes but not "the patch." Updated Version: Unistalling the patch seems to have brought things back to normal. Does anyone know if a third version is in the works or if I should keep trying to make the second version work on my machines? jbh John Hanks Dept. of Biology Utah State University > -Original Message- > From: Paul L Schmehl [mailto:[EMAIL PROTECTED]] > Sent: Monday, June 11, 2001 5:31 PM > To: Toma Vailikit; Microsoft Product Security > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: Microsoft Security Bulletin MS01-030 > > > Microsoft Security contacted me immediately after I posted my > warning to > Bugtraq and gave me a contact to call to report the problem. > Microsoft > released an updated, regression tested patch the next day > (Friday, June 8), > I would assume in response to my report. > > We haven't tested it yet, but it's supposed to fix the problem. > > Paul L. Schmehl, [EMAIL PROTECTED] > http://www.utdallas.edu/~pauls/ > Supervisor, Support Services > The University of Texas at Dallas > AVIEN Founding Member >
RE: Microsoft Security Bulletin MS01-030
Just to follow-up on this with a real-world example, we applied the v2.0 patch (dated 8 June) on an Exchange 2000 server, noticed the symptoms of the original release of the patch (6 June), where store.exe was consuming 100% of the CPU and opened a call to MS. The tech had us roll back the patch by hand, after which everything ran smoothly and notified us that a new revision (v3.0?) of the patch would be released soon. Unfortunately by the next morning we had to reopen the call due to the fact that the Exchange server was again suffering from the same symptoms. The tech notified us that he had just received an internal e-mail announcement that the 3rd revision of the patch was available and suggested that we apply it. After doing so the Exchange server is again running smoothly but of course "consumer confidence" is going to remain low for the next couple of days until this patch proves it's finally fixed. At the time (this morning), the version of the patch was 4419.26, although now I see their web site is reporting it is version 4419.27, with the corresponding link to the patch returning a 404 error, so maybe a 4th rev. is in the works? - mike Michael C. Calanan, Systems Analyst mailto:[EMAIL PROTECTED] Gynecologic Oncology Group, Statistical and Data Center at Roswell Park Cancer Institute Buffalo, NY
RE: Microsoft Security Bulletin MS01-030
Microsoft Security contacted me immediately after I posted my warning to Bugtraq and gave me a contact to call to report the problem. Microsoft released an updated, regression tested patch the next day (Friday, June 8), I would assume in response to my report. We haven't tested it yet, but it's supposed to fix the problem. Paul L. Schmehl, [EMAIL PROTECTED] http://www.utdallas.edu/~pauls/ Supervisor, Support Services The University of Texas at Dallas AVIEN Founding Member
RE: Microsoft Security Bulletin MS01-030
-Original Message- From: Paul L Schmehl [mailto:[EMAIL PROTECTED]] snip... We do not know if this will affect systems that do not use a-a-c. snip... Yes, it does affect non clustered Exchange servers in the same way. At least this has been in my case. I don't know if this is a problem for everyone that has applied this patch. I noticed that store.exe was on a rampage this morning after I applied this "patch" yesterday to the server. After a reboot, it took about 5 minutes or so to reproduce the same results with store.exe. So I rebooted it again and removed the patch so my users would have an exchange server to connect to. Of course a server that is inaccessible is much more secure, but I think we need a patch that doesn't take out the server as a means to remedy a security hole.
Re: Microsoft Security Bulletin MS01-030
At UTD we are running active-active clustering (a-a-c) with two virtual Exchange 2000 servers and a RAID array. We were in the process of installing Exchange 2000 on the second node, and the admins decided to apply this patch to the "active" node as well. After application of the patch (this morning), stores.exe consumed 100% of CPU and Exchange became non-responsive. Some tasks timed out, while others could be performed but were quite sluggish. We do not know if this will affect systems that do not use a-a-c. Stores.exe is a file used by a-a-c, and the patch detected that we were running a-a-c. There's nothing in the bulletin to indicate that the patch is not supposed to be applied to an a-a-c setup. --On Wednesday, June 06, 2001 5:30 PM -0700 Microsoft Product Security <[EMAIL PROTECTED]> wrote: > The following is a Security Bulletin from the Microsoft Product Security > Notification Service. > > Please do not reply to this message, as it was sent from an unattended > mailbox. > > > -BEGIN PGP SIGNED MESSAGE- > > - -- > Title: Incorrect Attachment Handling in Exchange 2000 OWA > Can Execute Script > Date: 06 June 2001 > Software: Microsoft Exchange 2000 Server Outlook Web Access > Impact: Run code of attacker's choice > Bulletin: MS01-030 > > Microsoft encourages customers to review the Security Bulletin at: > http://www.microsoft.com/technet/security/bulletin/MS01-030.asp. > - -- Paul L. Schmehl, [EMAIL PROTECTED] http://www.utdallas.edu/~pauls/ Supervisor, Support Services The University of Texas at Dallas AVIEN Founding Member
