LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

August 2006

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS August 2006

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Microsoft Windows Update Website
From:	"Rajesh Nair (rajnair)" <[log in to unmask]>
Reply To:	Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:	Fri, 25 Aug 2006 11:38:41 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (114 lines)

Aaron et al,

Here goes.  While I am sure this response will not be satisfactory to
many, this is the best I can say. 

How Clean Access verifies patches - In most instances, Clean Access uses
registry keys to verify patches.  Not always though - in some instances,
we use file versions, etc. as well.  We decide this on a patch-to-patch
basis after testing.  

How Microsoft verifies patches - Its mostly a mystery.  Really speaking,
something like MSBA is the best way to verify whether a system is
correctly patched or not.  However, MSBA takes a long time to do its
work.  The ActiveX scanner from the Windows update website, on the other
hand, doesn't take the same approach as MSBA.  How can we tell -
because, there have been multiple cases where Windows update tells us
that there are no patches, except that the DLL file versions show that
they are still vulnerable.  There has also been an instance where a
hotfix required a patch (another KB item) and as long as machines had
the "patch", they showed up as not requiring the hotfix itself.  So,
they are not correct in all instances either. 

How can we make things better? - if we purely used DLL versions to check
things, we feel that the check would be far more accurate than it
currently is.  However, this will take some time for us to support for
multiple reasons - 1) we need to have a faster way of checking since the
check/rule size for a purely DLL-based checking would be huge 2)
Adequate testing capabilities to support this.  We are working towards
this but it will take some more time.  In the meantime, we try to test
and re-test the rules/checks we have to try to ensure minimal flaws.

-Rajesh.

-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Rothberg, Aaron
Sent: Friday, August 25, 2006 8:19 AM
To: [log in to unmask]
Subject: Microsoft Windows Update Website

I was hoping for a reply from Rajesh with more details regarding the
Windows Update website.

It would seem to me that while Cisco Clean Access has chosen to review
the Registry to identity if a Critical Update has been installed,
Microsoft is using a different method for the same verification. This is
causing us some pain in that since Microsoft created Windows, I would
expect they understand best how to determine if a patch has been
installed or not and would tend to trust their website more than a 3rd
party. Given in these instances the Microsoft Update Website states a
student has all of the Critical Updates, I don't want to have to spin
our wheels installing a patch simply to insert a Registry Key to satisfy
Cisco Clean Access, when quite possibly the appropriate DLLs and EXEs
have been updated and no security vulnerability exists on the machine.

Rajesh, can you discuss why Cisco Clean Access uses a different method
for verifying patch installation and if Cisco plans to employ the same
method of verification that Microsoft uses in a future release so the
web page and CCA come to the same conclusion? And also, can you mention
why we should be confident that Microsoft's Update website it lying to
us and we should believe a vulnerability exists simply because a
Registry Key is missing?

--Aaron

-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Joseph Haynes
Sent: Thursday, August 24, 2006 8:55 AM
To: [log in to unmask]
Subject: Re: KB913433

Apparently that patch is only needed if you have an older version (6 or
7) of macromedia flash installed. CCA Should be checking for both an
older version of flash and the patch, not the patch by itself.

Does this help?

http://support.microsoft.com/kb/913433/en-us 

Joe Haynes
University of Marh Washington

>>> "Rothberg, Aaron" <[log in to unmask]> 08/23/06 9:18 PM >>>
We're running 3.5.10 and have an interesting problem.

We've got a student computer that Microsoft Windows Update website says
has all of the Critical Updates, yet continues to fail a CCA check for
KB913433, a Flash update. When the student tries to install this update
he gets the pop-up, "The version of Macromedia Flash you have installed
does not match the update you are trying to install."

So the student can't install the update, but CCA won't pass him until he
does. Our only way around at this point is to modify the registry. Our
helpdesk is a bit concerned at the number of people that may be affected
given our recent discovery (and previous posting) that Microsoft Windows
Update and CCA seem to disagree in a variety of instances where the web
site says the user is good and CCA states updates are still missing.

Has anyone seen this issue with KB913433 or the same symptoms with any
other Critical Update? Suggestions? Sledgehammers?

...and for the record, are most people in agreement that Microsoft's
Update Website looks at DLL versions to determine if a patch is
installed or not and thus the discrepancy between CCA and Microsoft
saying a patch is missing (CCA) when it has been installed (Microsoft
Update website)?

Rajesh, can you give us a Cisco ruling on this?

--Aaron
Helpdesk Computer Tech
603.358.2590

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU