We host all KB's locally on a server that is accessable from the
temporary role and allow clueful help desk staff to access the reports
in CCA to remediate people who have problems with a specific patch. We
saw about a 5% rate of users who needed this service, that to us was an
acceptable rate and in the grand scheme of things I sleep better at
night knowing people are patched as compared to the relative minor
neusance of downloading and hosting the patches.
Ryan Dorman, CCNP
Network Engineering Specialist
Millersville University
717.871.5883
-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Greg Schaffer
Sent: Friday, August 25, 2006 4:37 PM
To: [log in to unmask]
Subject: Re: [PERFIGO] Microsoft Windows Update Website
We have had fine results with just checking for the running of Windows
Update. Also, like most, CCA is only a part of the overall method for
securing our RESnet.
Greg
Simon Kissler wrote:
> I have to say that after some of our pre-CCA experiences with Viruses
> and such and the number of calls we'll get when people have the
> vulnerability I'd rather spend the time to do manual installs and or
> use something like bitsfix than risk our students not having the
> patches installed and us having to deal with the aftermath.
>
> -S
>
>
>
> On Fri, 25 Aug 2006, Rajesh Nair (rajnair) wrote:
>
>
>> Return-Path: <[log in to unmask]>
>> Received: from localhost by genesis with LMTP; Fri,
>> 25 Aug 2006 13:40:11 -0500
>> Received: from smtp03.valpo.edu (smtp03.valpo.edu [152.228.33.53])
>> by genesis.valpo.edu (Switch-3.1.7/Switch-3.1.0) with ESMTP id
>> k7PIeBbf002821;
>> Fri, 25 Aug 2006 13:40:11 -0500 (CDT)
>> Received: from localhost (localhost [127.0.0.1])
>> by smtp03.valpo.edu (8.13.7/8.12.9) with ESMTP id
k7PIe7WB019916;
>> Fri, 25 Aug 2006 13:40:07 -0500 (CDT)
>> X-Virus-Scanned: by amavisd-new at valpo.edu
>> Received: from smtp03.valpo.edu ([127.0.0.1])
>> by localhost (smtp03.valpo.edu [127.0.0.1]) (amavisd-new, port
10024)
>> with ESMTP id L8iaBGge0SD4; Fri, 25 Aug 2006 13:40:05 -0500
(CDT)
>> Received: from listserv.muohio.edu (listserv.muohio.edu
[134.53.7.26])
>> by smtp03.valpo.edu (8.13.7/8.12.9) with ESMTP id
k7PIe56o019898;
>> Fri, 25 Aug 2006 13:40:05 -0500 (CDT)
>> Received: from nasw2k01 (listserv.muohio.edu) by listserv.muohio.edu
>> (LSMTP for Windows NT v1.1b) with SMTP id
>> <[log in to unmask]>; Fri, 25 Aug 2006 14:40:04 -0400
>> Received: by LISTSERV.MUOHIO.EDU (LISTSERV-TCP/IP release 14.5) with
>> spool id
>> 50811395 for [log in to unmask]; Fri, 25 Aug 2006
14:38:45
>> -0400
>> Received: from mulnx11.mcs.muohio.edu by listserv.muohio.edu (LSMTP
for
>> Windows
>> NT v1.1b) with SMTP id <[log in to unmask]>;
Fri,
>> 25 Aug
>> 2006 14:38:44 -0400
>> Received: from mulnx23.mcs.muohio.edu (mulnx23.mcs.muohio.edu
>> [134.53.6.10]) by
>> mulnx11.mcs.muohio.edu (Switch-3.1.8/Switch-3.1.7) with
ESMTP id
>> k7PIchkE004152 for <[log in to unmask]>; Fri, 25
Aug 2006
>> 14:38:43 -0400
>> Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com
>> [171.71.176.117]) by
>> mulnx23.mcs.muohio.edu (Switch-3.1.8/Switch-3.1.7) with
SMTP id
>> k7PIcgeD007475 for <[log in to unmask]>; Fri, 25
Aug 2006
>> 14:38:42 -0400
>> Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by
>> sj-iport-6.cisco.com
>> with ESMTP; 25 Aug 2006 11:38:42 -0700
>> Received: from sj-core-2.cisco.com (sj-core-2.cisco.com
[171.71.177.254])
>> by
>> sj-dkim-4.cisco.com (8.12.11.20060308/8.12.11) with ESMTP
id
>> k7PIcgjZ003509 for <[log in to unmask]>; Fri, 25
Aug 2006
>> 11:38:42 -0700
>> Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com
>> [171.70.151.144]) by sj-core-2.cisco.com (8.12.10/8.12.6)
with
>> ESMTP
>> id k7PIcfYp010099 for <[log in to unmask]>; Fri,
>> 25 Aug 2006
>> 11:38:42 -0700 (PDT)
>> Received: from xmb-sjc-22d.amer.cisco.com ([128.107.191.68]) by
>> xbh-sjc-211.amer.cisco.com with Microsoft
>> SMTPSVC(6.0.3790.1830);
>> Fri, 25 Aug 2006 11:38:41 -0700
>> X-MimeOLE: Produced By Microsoft Exchange V6.5
>> Content-class: urn:content-classes:message
>> MIME-Version: 1.0
>> Content-Type: text/plain; charset="us-ascii"
>> Content-Transfer-Encoding: quoted-printable
>> X-MS-Has-Attach:
>> X-MS-TNEF-Correlator:
>> Thread-Topic: Microsoft Windows Update Website
>> Thread-Index: AcbHgUbL2KaVvGHfSEGrE5jGPqPGMQA1PETgAAd183A=
>> X-OriginalArrivalTime: 25 Aug 2006 18:38:41.0861 (UTC)
>> FILETIME=[B0256F50:01C6C875]
>> X-Real-ConnectIP: 171.71.176.117
>> X-Scanned-By: MIMEDefang 2.57 on 134.53.6.66
>> X-Scanned-By: MIMEDefang 2.52 on 134.53.6.10
>> Message-ID:
>>
>> <[log in to unmask]>
>> Date: Fri, 25 Aug 2006 11:38:41 -0700
>> Reply-To: Perfigo SecureSmart and CleanMachines Discussion List
>> <[log in to unmask]>
>> Sender: Perfigo SecureSmart and CleanMachines Discussion List
>> <[log in to unmask]>
>> From: "Rajesh Nair (rajnair)" <[log in to unmask]>
>> Subject: Re: Microsoft Windows Update Website
>> To: [log in to unmask]
>> Precedence: list
>> List-Help: <http://listserv.muohio.edu/scripts/wa.exe?LIST=PERFIGO>,
>> <mailto:[log in to unmask] PERFIGO>
>> List-Unsubscribe:
>> <mailto:[log in to unmask]>
>> List-Subscribe:
>> <mailto:[log in to unmask]>
>> List-Owner: <mailto:[log in to unmask]>
>> List-Archive:
>> <http://listserv.muohio.edu/scripts/wa.exe?LIST=PERFIGO>
>>
>> Aaron et al,
>>
>> Here goes. While I am sure this response will not be satisfactory to
>> many, this is the best I can say.
>>
>> How Clean Access verifies patches - In most instances, Clean Access
>> uses registry keys to verify patches. Not always though - in some
>> instances, we use file versions, etc. as well. We decide this on a
>> patch-to-patch basis after testing.
>>
>> How Microsoft verifies patches - Its mostly a mystery. Really
>> speaking, something like MSBA is the best way to verify whether a
>> system is correctly patched or not. However, MSBA takes a long time
>> to do its work. The ActiveX scanner from the Windows update website,
>> on the other hand, doesn't take the same approach as MSBA. How can
>> we tell - because, there have been multiple cases where Windows
>> update tells us that there are no patches, except that the DLL file
>> versions show that they are still vulnerable. There has also been an
>> instance where a hotfix required a patch (another KB item) and as
>> long as machines had the "patch", they showed up as not requiring the
>> hotfix itself. So, they are not correct in all instances either.
>>
>> How can we make things better? - if we purely used DLL versions to
>> check things, we feel that the check would be far more accurate than
>> it currently is. However, this will take some time for us to support
>> for multiple reasons - 1) we need to have a faster way of checking
>> since the check/rule size for a purely DLL-based checking would be
>> huge 2) Adequate testing capabilities to support this. We are
>> working towards this but it will take some more time. In the
>> meantime, we try to test and re-test the rules/checks we have to try
to ensure minimal flaws.
>>
>> -Rajesh.
>>
>> -----Original Message-----
>> From: Perfigo SecureSmart and CleanMachines Discussion List
>> [mailto:[log in to unmask]] On Behalf Of Rothberg, Aaron
>> Sent: Friday, August 25, 2006 8:19 AM
>> To: [log in to unmask]
>> Subject: Microsoft Windows Update Website
>>
>> I was hoping for a reply from Rajesh with more details regarding the
>> Windows Update website.
>>
>> It would seem to me that while Cisco Clean Access has chosen to
>> review the Registry to identity if a Critical Update has been
>> installed, Microsoft is using a different method for the same
>> verification. This is causing us some pain in that since Microsoft
>> created Windows, I would expect they understand best how to determine
>> if a patch has been installed or not and would tend to trust their
>> website more than a 3rd party. Given in these instances the Microsoft
>> Update Website states a student has all of the Critical Updates, I
>> don't want to have to spin our wheels installing a patch simply to
>> insert a Registry Key to satisfy Cisco Clean Access, when quite
>> possibly the appropriate DLLs and EXEs have been updated and no
security vulnerability exists on the machine.
>>
>> Rajesh, can you discuss why Cisco Clean Access uses a different
>> method for verifying patch installation and if Cisco plans to employ
>> the same method of verification that Microsoft uses in a future
>> release so the web page and CCA come to the same conclusion? And
>> also, can you mention why we should be confident that Microsoft's
>> Update website it lying to us and we should believe a vulnerability
>> exists simply because a Registry Key is missing?
>>
>> --Aaron
>>
>> -----Original Message-----
>> From: Perfigo SecureSmart and CleanMachines Discussion List
>> [mailto:[log in to unmask]] On Behalf Of Joseph Haynes
>> Sent: Thursday, August 24, 2006 8:55 AM
>> To: [log in to unmask]
>> Subject: Re: KB913433
>>
>> Apparently that patch is only needed if you have an older version (6
>> or
>> 7) of macromedia flash installed. CCA Should be checking for both an
>> older version of flash and the patch, not the patch by itself.
>>
>> Does this help?
>>
>> http://support.microsoft.com/kb/913433/en-us
>>
>> Joe Haynes
>> University of Marh Washington
>>
>>
>>>>> "Rothberg, Aaron" <[log in to unmask]> 08/23/06 9:18 PM >>>
>>>>>
>> We're running 3.5.10 and have an interesting problem.
>>
>> We've got a student computer that Microsoft Windows Update website
>> says has all of the Critical Updates, yet continues to fail a CCA
>> check for KB913433, a Flash update. When the student tries to install
>> this update he gets the pop-up, "The version of Macromedia Flash you
>> have installed does not match the update you are trying to install."
>>
>> So the student can't install the update, but CCA won't pass him until
>> he does. Our only way around at this point is to modify the registry.
>> Our helpdesk is a bit concerned at the number of people that may be
>> affected given our recent discovery (and previous posting) that
>> Microsoft Windows Update and CCA seem to disagree in a variety of
>> instances where the web site says the user is good and CCA states
updates are still missing.
>>
>> Has anyone seen this issue with KB913433 or the same symptoms with
>> any other Critical Update? Suggestions? Sledgehammers?
>>
>> ...and for the record, are most people in agreement that Microsoft's
>> Update Website looks at DLL versions to determine if a patch is
>> installed or not and thus the discrepancy between CCA and Microsoft
>> saying a patch is missing (CCA) when it has been installed (Microsoft
>> Update website)?
>>
>> Rajesh, can you give us a Cisco ruling on this?
>>
>> --Aaron
>> Helpdesk Computer Tech
>> 603.358.2590
>>
>>
>
>
------------------------------------------------------------------------
-------
> Simon Kissler
[log in to unmask]
> Sr. UNIX Systems and Network Administrator Phone: (219) 464 6773
> Information Technology Fax : (219) 464 5381
> Valparaiso University
> Kretzmann Hall B12
> Valparaiso, IN 46383
> ----------------------------------------------------------------------
> ---------
>
> "The great tragedy of science --
> the slaying of a beautiful hypothesis by an ugly fact."
> -Thomas Huxley
>
> ----------------------------------------------------------------------
> ---------
>
>
>
|