We host all KB's locally on a server that is accessable from the
temporary role and allow clueful help desk staff to access the reports
in CCA to remediate people who have problems with a specific patch.  We
saw about a 5% rate of users who needed this service, that to us was an
acceptable rate and in the grand scheme of things I sleep better at
night knowing people are patched as compared to the relative minor
neusance of downloading and hosting the patches.   


Ryan Dorman, CCNP
Network Engineering Specialist
Millersville University
717.871.5883 
-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Greg Schaffer
Sent: Friday, August 25, 2006 4:37 PM
To: [log in to unmask]
Subject: Re: [PERFIGO] Microsoft Windows Update Website

We have had fine results with just checking for the running of Windows
Update.  Also, like most, CCA is only a part of the overall method for
securing our RESnet.

Greg

Simon Kissler wrote:
> I have to say that after some of our pre-CCA experiences with Viruses 
> and such and the number of calls we'll get when people have the 
> vulnerability I'd rather spend the time to do manual installs and or 
> use something like bitsfix than risk our students not having the 
> patches installed and us having to deal with the aftermath.
>
> -S
>
>
>
> On Fri, 25 Aug 2006, Rajesh Nair (rajnair) wrote:
>
>   
>> Return-Path: <[log in to unmask]>
>> Received: from localhost by genesis with LMTP; Fri,
>>      25 Aug 2006 13:40:11 -0500
>> Received: from smtp03.valpo.edu (smtp03.valpo.edu [152.228.33.53])
>> 	by genesis.valpo.edu (Switch-3.1.7/Switch-3.1.0) with ESMTP id
>>     k7PIeBbf002821;
>> 	Fri, 25 Aug 2006 13:40:11 -0500 (CDT)
>> Received: from localhost (localhost [127.0.0.1])
>> 	by smtp03.valpo.edu (8.13.7/8.12.9) with ESMTP id
k7PIe7WB019916;
>> 	Fri, 25 Aug 2006 13:40:07 -0500 (CDT)
>> X-Virus-Scanned: by amavisd-new at valpo.edu
>> Received: from smtp03.valpo.edu ([127.0.0.1])
>> 	by localhost (smtp03.valpo.edu [127.0.0.1]) (amavisd-new, port
10024)
>> 	with ESMTP id L8iaBGge0SD4; Fri, 25 Aug 2006 13:40:05 -0500
(CDT)
>> Received: from listserv.muohio.edu (listserv.muohio.edu
[134.53.7.26])
>> 	by smtp03.valpo.edu (8.13.7/8.12.9) with ESMTP id
k7PIe56o019898;
>> 	Fri, 25 Aug 2006 13:40:05 -0500 (CDT)
>> Received: from nasw2k01 (listserv.muohio.edu) by listserv.muohio.edu
>>     (LSMTP for Windows NT v1.1b) with SMTP id
>>     <[log in to unmask]>; Fri, 25 Aug 2006 14:40:04 -0400
>> Received: by LISTSERV.MUOHIO.EDU (LISTSERV-TCP/IP release 14.5) with
>>     spool id
>>           50811395 for [log in to unmask]; Fri, 25 Aug 2006
14:38:45
>>           -0400
>> Received: from mulnx11.mcs.muohio.edu by listserv.muohio.edu (LSMTP
for
>>     Windows
>>           NT v1.1b) with SMTP id <[log in to unmask]>;
Fri,
>>      25 Aug
>>           2006 14:38:44 -0400
>> Received: from mulnx23.mcs.muohio.edu (mulnx23.mcs.muohio.edu
>>     [134.53.6.10]) by
>>           mulnx11.mcs.muohio.edu (Switch-3.1.8/Switch-3.1.7) with
ESMTP id
>>           k7PIchkE004152 for <[log in to unmask]>; Fri, 25
Aug 2006
>>           14:38:43 -0400
>> Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com
>>     [171.71.176.117]) by
>>           mulnx23.mcs.muohio.edu (Switch-3.1.8/Switch-3.1.7) with
SMTP id
>>           k7PIcgeD007475 for <[log in to unmask]>; Fri, 25
Aug 2006
>>           14:38:42 -0400
>> Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by
>>     sj-iport-6.cisco.com
>>           with ESMTP; 25 Aug 2006 11:38:42 -0700
>> Received: from sj-core-2.cisco.com (sj-core-2.cisco.com
[171.71.177.254])
>>     by
>>           sj-dkim-4.cisco.com (8.12.11.20060308/8.12.11) with ESMTP
id
>>           k7PIcgjZ003509 for <[log in to unmask]>; Fri, 25
Aug 2006
>>           11:38:42 -0700
>> Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com
>>           [171.70.151.144]) by sj-core-2.cisco.com (8.12.10/8.12.6)
with
>>     ESMTP
>>           id k7PIcfYp010099 for <[log in to unmask]>; Fri,
>>      25 Aug 2006
>>           11:38:42 -0700 (PDT)
>> Received: from xmb-sjc-22d.amer.cisco.com ([128.107.191.68]) by
>>           xbh-sjc-211.amer.cisco.com with Microsoft
>>     SMTPSVC(6.0.3790.1830);
>>           Fri, 25 Aug 2006 11:38:41 -0700
>> X-MimeOLE: Produced By Microsoft Exchange V6.5
>> Content-class: urn:content-classes:message
>> MIME-Version: 1.0
>> Content-Type: text/plain; charset="us-ascii"
>> Content-Transfer-Encoding: quoted-printable
>> X-MS-Has-Attach:
>> X-MS-TNEF-Correlator:
>> Thread-Topic: Microsoft Windows Update Website
>> Thread-Index: AcbHgUbL2KaVvGHfSEGrE5jGPqPGMQA1PETgAAd183A=
>> X-OriginalArrivalTime: 25 Aug 2006 18:38:41.0861 (UTC)
>>                        FILETIME=[B0256F50:01C6C875]
>> X-Real-ConnectIP: 171.71.176.117
>> X-Scanned-By: MIMEDefang 2.57 on 134.53.6.66
>> X-Scanned-By: MIMEDefang 2.52 on 134.53.6.10
>> Message-ID:
>>     
>> <[log in to unmask]>
>> Date: Fri, 25 Aug 2006 11:38:41 -0700
>> Reply-To: Perfigo SecureSmart and CleanMachines Discussion List
>>     <[log in to unmask]>
>> Sender: Perfigo SecureSmart and CleanMachines Discussion List
>>     <[log in to unmask]>
>> From: "Rajesh Nair (rajnair)" <[log in to unmask]>
>> Subject: Re: Microsoft Windows Update Website
>> To: [log in to unmask]
>> Precedence: list
>> List-Help: <http://listserv.muohio.edu/scripts/wa.exe?LIST=PERFIGO>,
>>            <mailto:[log in to unmask] PERFIGO>
>> List-Unsubscribe: 
>> <mailto:[log in to unmask]>
>> List-Subscribe: 
>> <mailto:[log in to unmask]>
>> List-Owner: <mailto:[log in to unmask]>
>> List-Archive: 
>> <http://listserv.muohio.edu/scripts/wa.exe?LIST=PERFIGO>
>>
>> Aaron et al,
>>
>> Here goes.  While I am sure this response will not be satisfactory to

>> many, this is the best I can say.
>>
>> How Clean Access verifies patches - In most instances, Clean Access 
>> uses registry keys to verify patches.  Not always though - in some 
>> instances, we use file versions, etc. as well.  We decide this on a 
>> patch-to-patch basis after testing.
>>
>> How Microsoft verifies patches - Its mostly a mystery.  Really 
>> speaking, something like MSBA is the best way to verify whether a 
>> system is correctly patched or not.  However, MSBA takes a long time 
>> to do its work.  The ActiveX scanner from the Windows update website,

>> on the other hand, doesn't take the same approach as MSBA.  How can 
>> we tell - because, there have been multiple cases where Windows 
>> update tells us that there are no patches, except that the DLL file 
>> versions show that they are still vulnerable.  There has also been an

>> instance where a hotfix required a patch (another KB item) and as 
>> long as machines had the "patch", they showed up as not requiring the

>> hotfix itself.  So, they are not correct in all instances either.
>>
>> How can we make things better? - if we purely used DLL versions to 
>> check things, we feel that the check would be far more accurate than 
>> it currently is.  However, this will take some time for us to support

>> for multiple reasons - 1) we need to have a faster way of checking 
>> since the check/rule size for a purely DLL-based checking would be 
>> huge 2) Adequate testing capabilities to support this.  We are 
>> working towards this but it will take some more time.  In the 
>> meantime, we try to test and re-test the rules/checks we have to try
to ensure minimal flaws.
>>
>> -Rajesh.
>>
>> -----Original Message-----
>> From: Perfigo SecureSmart and CleanMachines Discussion List 
>> [mailto:[log in to unmask]] On Behalf Of Rothberg, Aaron
>> Sent: Friday, August 25, 2006 8:19 AM
>> To: [log in to unmask]
>> Subject: Microsoft Windows Update Website
>>
>> I was hoping for a reply from Rajesh with more details regarding the 
>> Windows Update website.
>>
>> It would seem to me that while Cisco Clean Access has chosen to 
>> review the Registry to identity if a Critical Update has been 
>> installed, Microsoft is using a different method for the same 
>> verification. This is causing us some pain in that since Microsoft 
>> created Windows, I would expect they understand best how to determine

>> if a patch has been installed or not and would tend to trust their 
>> website more than a 3rd party. Given in these instances the Microsoft

>> Update Website states a student has all of the Critical Updates, I 
>> don't want to have to spin our wheels installing a patch simply to 
>> insert a Registry Key to satisfy Cisco Clean Access, when quite 
>> possibly the appropriate DLLs and EXEs have been updated and no
security vulnerability exists on the machine.
>>
>> Rajesh, can you discuss why Cisco Clean Access uses a different 
>> method for verifying patch installation and if Cisco plans to employ 
>> the same method of verification that Microsoft uses in a future 
>> release so the web page and CCA come to the same conclusion? And 
>> also, can you mention why we should be confident that Microsoft's 
>> Update website it lying to us and we should believe a vulnerability 
>> exists simply because a Registry Key is missing?
>>
>> --Aaron
>>
>> -----Original Message-----
>> From: Perfigo SecureSmart and CleanMachines Discussion List 
>> [mailto:[log in to unmask]] On Behalf Of Joseph Haynes
>> Sent: Thursday, August 24, 2006 8:55 AM
>> To: [log in to unmask]
>> Subject: Re: KB913433
>>
>> Apparently that patch is only needed if you have an older version (6 
>> or
>> 7) of macromedia flash installed. CCA Should be checking for both an 
>> older version of flash and the patch, not the patch by itself.
>>
>> Does this help?
>>
>> http://support.microsoft.com/kb/913433/en-us
>>
>> Joe Haynes
>> University of Marh Washington
>>
>>     
>>>>> "Rothberg, Aaron" <[log in to unmask]> 08/23/06 9:18 PM >>>
>>>>>           
>> We're running 3.5.10 and have an interesting problem.
>>
>> We've got a student computer that Microsoft Windows Update website 
>> says has all of the Critical Updates, yet continues to fail a CCA 
>> check for KB913433, a Flash update. When the student tries to install

>> this update he gets the pop-up, "The version of Macromedia Flash you 
>> have installed does not match the update you are trying to install."
>>
>> So the student can't install the update, but CCA won't pass him until

>> he does. Our only way around at this point is to modify the registry.

>> Our helpdesk is a bit concerned at the number of people that may be 
>> affected given our recent discovery (and previous posting) that 
>> Microsoft Windows Update and CCA seem to disagree in a variety of 
>> instances where the web site says the user is good and CCA states
updates are still missing.
>>
>> Has anyone seen this issue with KB913433 or the same symptoms with 
>> any other Critical Update? Suggestions? Sledgehammers?
>>
>> ...and for the record, are most people in agreement that Microsoft's 
>> Update Website looks at DLL versions to determine if a patch is 
>> installed or not and thus the discrepancy between CCA and Microsoft 
>> saying a patch is missing (CCA) when it has been installed (Microsoft

>> Update website)?
>>
>> Rajesh, can you give us a Cisco ruling on this?
>>
>> --Aaron
>> Helpdesk Computer Tech
>> 603.358.2590
>>
>>     
>
>
------------------------------------------------------------------------
-------
> Simon Kissler
[log in to unmask]
> Sr. UNIX Systems and Network Administrator	Phone: (219) 464 6773
> Information Technology                          Fax  : (219) 464 5381
> Valparaiso University
> Kretzmann Hall B12
> Valparaiso, IN 46383
> ----------------------------------------------------------------------
> ---------
>
>           "The great tragedy of science --
>             the slaying of a beautiful hypothesis by an ugly fact."
>                                                       -Thomas Huxley
>
> ----------------------------------------------------------------------
> ---------
>
>
>