On Fri, 25 Jul 2003 06:10:10 -0700, Kris wrote
Security bulletin MS03-030 states that this fixed is
included in SP4 for Windows2000. When I look at the fix
list of SP4 I can't find the related KB article number?
MS03-030 is posted on July 23rd, SP4 26th June!!!??
Yes that is confusing. Expanding "Additional information about this patch," at
http://www.microsoft.com/technet/security/bulletin/MS03-030.asp
we see, "Inclusion in future service packs: The fix for this issue is included
in Windows 2000 Service Pack 4. The fix for this issue will be included in the
following Service Packs: Windows XP Service Pack 2 Windows Server 2003 Service
Pack 1 "
On your issue of release dates purely for explanation. eEye states Microsoft was
contacted on April 16, 2003.
http://www.eeye.com/html/Research/Advisories/AD20030723.html
Vulnerabilities are fixed in Service Packs whenever possible and practical. A
bulletin or KB article may or may not be issued with the Service Pack.
So we can reconcile the dates
04-16-2003 eEye notifies Microsoft
06-26-2003 Windows 200 SP4 release
xx-xx-2003 file dates on Quartz.dll
07-23-2003 MS03-030 Bulletin
purely as incidental. Not as proof positive a specific version of Quartz.dll
dated on or about a specific date is vulnerable.
Either
the security bulletin is incorrect or this particular fix
has been published under another KB number. Can anybody
tell me whether I still need to install this fix when I
have SP4 installed?
DirectX 7.0 is the affected software for Windows 2000 that was patched via
Windows 2000 Service Pack 4.
However, other versions of DirectX also need patching. (That's why the bulletin
was released after the service pack. The bulletin is released when patches are
available for all applicable OSes and DirectX versions.)
http://support.microsoft.com/?kbid=819696
discusses how to determine whether a machine is patched
But it can go very wrong. See below. Essentially we need to
* Use DXDiag to determine the DirectX version
* Determine whether the determined Direct X version is vulnerable
* Update to a version that can be patched
and/or
* Patch it
Or
* Update to DirectX 9.0b.
eEye states "...all versions of QUARTZ.DLL" are vulnerable. Microsoft lists
specific DirectX versions on specific platforms. Wait for clarification from
Microsoft, or err on the side of caution and install DirectX 9.0b.
DirectX 7.0 is updated by Service Pack 4. An Integrated SP4 install installs an
updated version of quartz.dll. But are all versions of Direct X on Windows 2000
guaranteed to be patched by SP4. Clearly not.
Example Only THIS IS NOT A CORRECT METHOD TO USE
================================================
DirectX Version: DirectX 8.0 (4.08.00.0400) present prior to installing SP4.
C:\WINNT\system32\quartz.dll. (Vulnerable ?)
Date Time Version Size File name
--------------------------------------------------
03-11-2000 14:35 6.3.1.400 1,662,976 Quartz.dll
Apply SP4 which does not update Quartz.dll (because DirectX 7.0 was not present)
We would like to see, after applying SP4, C:\WINNT\system32\Quartz.dll is
Date Time Version Size File name
--------------------------------------------------
06-19-2003, 12:05 6.1.9.728 828,688 Quartz.dll
But Quartz.dll has not been updated by SP4 (since Direct X 7.0 was not found by
SP4.)
Apply the "Windows2000-KB819696-x86-ENU.exe" patch. A copy of Quartz.dll is
inserted into dllcache
C:\WINNT\system32\dllcache\quartz.dll
Date Time Version Size File name
--------------------------------------------------
07-03-2003, 18:28 6.1.9.729 791,312 Quartz.dll
C:\WINNT\system32\quartz.dll is not touched. (Still vulnerable?)
So what to do? DXDiag.exe would have determined the current version of Direct X
running. Direct X 8.0 is deprecated. At that point Direct X 9.0b is seemingly
the way to go. We can learn the hard way.
* Find the version of Direct X installed by running DXDiag.
* Check the Quartz.dll version against KB819696
* Update to a supported version of Direct X
Example
http://download.microsoft.com/download/DirectX/Install/8.1b/W982KMe/EN-US/dx81bredist.exe
* Find the version of Direct X installed by running DXDiag.
DirectX Version: DirectX 8.1 (4.08.01.0901)
* Check the Quartz.dll version against KB819696
Date Time Version Size File name
--------------------------------------------------
05-01-2002 18:51 6.03.01.0885 1,669,120 Quartz.dll
(Still vulnerable?) Is there a patch for Direct X 8.1b on Windows 2000? Not at
KB819696. Solution?
* Web Update or Redistributable to the patched version of Direct X 9.0b
http://microsoft.com/downloads/details.aspx?FamilyId=141D5F9E-07C1-462A-BAEF-5EAB5C851CF5
http://www.microsoft.com/downloads/details.aspx?familyid=a6dee0db-dcce-43ea-87bb-7c7e1fd1eaa2
DirectX Version: DirectX 9.0b (4.09.0000.0902)
From
http://support.microsoft.com/?kbid=819696
* Check the "Technical Update July 25, 2003: The version number was changed from
4.90.00.0902 to 4.09.00.0902 in the 'Installation Information' section."
"To verify that DirectX 9.0b is installed on your computer, confirm that the
following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectX\Version
and that its value is 4.09.00.0902.