October 12th, 2005, 09:23 PM
Warning: Problems with MS05-051
We follow many of the "Standard" lockdown procedures suggested NIST and others. We have had a major problem after applying the MS05-051 patch. The problem that we are seeing is that all the network connections including pptp connection dissapear. If you try to recreate them it tells you that it can't because they already exists. Your networking still works but it cannot display the connections. We have tracked it down to a permissions issue in the windows/winnt directory. The fix for us was to add the network service account with read permissions on the %systemroot%\registration directory. The vanilla build permissions is everyone read permissions.
We would like to know if anyone else has seen this. Also I wanted to let you all know so you can be aware of the issue.
October 12th, 2005, 11:35 PM
We've seen similar types of things happen prior to SP1, but not since. I won't see the effect of this on the network workstations until tomorrow.
Has not affected the laptop.
BTW, is this happening on all workstations, or just some? IIRC, that behavior prior to SP1 was a corruption that showed up after trying to remove certain browser toolbars and such. I looked at the text of MS05-051 and it just doesn't seem to make sense that it would affect the network connections, unless you are running a web/database server.
Just my tuppence.
October 13th, 2005, 06:57 PM
This is happening on all the computer we have applied the patch to. It is not corruption. If we remove the patch the problem goes away. It appears that Microsoft is changing permissions on the Registration directory.
October 13th, 2005, 09:08 PM
We have this problem too. We have a certain area where all hosts are configured to NIST 800 guidelines and POW, same thing.
Have you reported this to MS? My guess is that they will tell you that it's a YP not an MP.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
October 13th, 2005, 09:12 PM
Question: does this apply to non-network personal computers...I've been patched and have no seen problems?
October 13th, 2005, 09:43 PM
This has not yet been reported to Microsoft.
I would imagine that this would affect any XP machine. I am not sure about other versions. The problem is when you lock down your system to Guide lines such as NIST's, you remove the Everone group from virtually all NTFS permissions on the C drive. Apparently when Microsoft tested this patch they did not test it with the recommended hardening in place that may companies are using. Where you might see this on a standalone machine is that your dialup and pptp connection will have dissappeared.
October 14th, 2005, 07:06 PM
Draco: I didn't mean to minimize your comments above, in case that's what you thought. Thanks for bringing this up so quickly. It put this issue on the radar for us right away.
Just FYI, we (my co-workers) are hearing some similar issues from other sources, related to MS05-051. I passed that to the crew working on the patch updates for the desktops. We aren't quite that nailed down (removing Everyone), but we're going to watch that patch carefully.
MS should be checking these against NIST configured systems. Wonder if they missed this one.
None of the systems I've updated so far have exhibited the behavior you described, so I think it is probably isolated to systems configured as yours.
Also, check out the ISC:
Looks like there may be other issues and there is a lot of current activity on port 3372.
October 14th, 2005, 08:59 PM
From the SANS Site
We have had a report of problems with MS05-051. Here is what we have received. If anyone else is experiencing problems, please let us know.We have had a report of problems with MS05-051. Here is what we have received. If anyone else is experiencing problems, please let us know.
A number of people have reported weird problems with one of the MS patches released yesterday, specifically MS05-051 Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400).
Symptoms include, but are not limited to:
- Inability to visit Windows Update
- Inablility to use the Search tool off the Start Menu
- blank screen (no icons) upon login
- Symantec LiveUpdate stops working
- SpySweeper stops working
- problems with Office apps
- VirtualPC becomes extremely sluggish
Lee said he had spoken to a Microsoft engineer about this. From what he could tell:
"this issue is only affecting people with very specific NTFS permissions. If the C:\Winnt\Registration\ folder is locked down and cannot be written to by COM+ you will have errors similar to those listed in your alert. All of those tasks use COM+ in one way or another."
Uninstalling patch 902400 seems to do the trick for most folks. You may need to check the "Show Updates" box under Add/Remove Programs to see the hotfixes.
How people treat you is their karma- how you react is yours-Wayne Dyer
October 14th, 2005, 11:54 PM
Well, the drama continues. The ISC has this on the handlers diary:
Looks like the NIST lockdown configuration is "incorrectly changed" from the default. Sounds like someone at MS is doing a CYA.
Another perspective from Microsoft:
'The solution will be available at http://support.microsoft.com/?id=909444,
and will be linked to from the MS05-051 bulletin - hopefully within the
hour. Feel free to communicate the cacls solution to anyone you come across
until then. This is not a "known issue" or "problem" with the patch, but a
"complexity with the increased security provided by the patch when running
on systems where settings have been incorrectly changed from the default
October 17th, 2005, 06:56 AM
Title: Microsoft Security Advisory Notification
Issued: October 14, 2005
Security Advisory Released Today
* Security Advisory (909444)
- Title: Various Issues After Installing Microsoft Security
Bulletin MS05-051 on Systems That Have Non-default
- Web site: http://go.microsoft.com/fwlink/?LinkId=55088