Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Warning: Problems with MS05-051

  1. #1
    Junior Member
    Join Date
    Sep 2003
    Posts
    21

    Unhappy Warning: Problems with MS05-051

    We follow many of the "Standard" lockdown procedures suggested NIST and others. We have had a major problem after applying the MS05-051 patch. The problem that we are seeing is that all the network connections including pptp connection dissapear. If you try to recreate them it tells you that it can't because they already exists. Your networking still works but it cannot display the connections. We have tracked it down to a permissions issue in the windows/winnt directory. The fix for us was to add the network service account with read permissions on the %systemroot%\registration directory. The vanilla build permissions is everyone read permissions.

    We would like to know if anyone else has seen this. Also I wanted to let you all know so you can be aware of the issue.

  2. #2
    We've seen similar types of things happen prior to SP1, but not since. I won't see the effect of this on the network workstations until tomorrow.

    Has not affected the laptop.

    EDIT:

    BTW, is this happening on all workstations, or just some? IIRC, that behavior prior to SP1 was a corruption that showed up after trying to remove certain browser toolbars and such. I looked at the text of MS05-051 and it just doesn't seem to make sense that it would affect the network connections, unless you are running a web/database server.

    Just my tuppence.

  3. #3
    Junior Member
    Join Date
    Sep 2003
    Posts
    21
    This is happening on all the computer we have applied the patch to. It is not corruption. If we remove the patch the problem goes away. It appears that Microsoft is changing permissions on the Registration directory.

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    We have this problem too. We have a certain area where all hosts are configured to NIST 800 guidelines and POW, same thing.

    Have you reported this to MS? My guess is that they will tell you that it's a YP not an MP.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171
    Question: does this apply to non-network personal computers...I've been patched and have no seen problems?

    Eg

  6. #6
    Junior Member
    Join Date
    Sep 2003
    Posts
    21
    This has not yet been reported to Microsoft.


    I would imagine that this would affect any XP machine. I am not sure about other versions. The problem is when you lock down your system to Guide lines such as NIST's, you remove the Everone group from virtually all NTFS permissions on the C drive. Apparently when Microsoft tested this patch they did not test it with the recommended hardening in place that may companies are using. Where you might see this on a standalone machine is that your dialup and pptp connection will have dissappeared.

  7. #7
    Draco: I didn't mean to minimize your comments above, in case that's what you thought. Thanks for bringing this up so quickly. It put this issue on the radar for us right away.

    Just FYI, we (my co-workers) are hearing some similar issues from other sources, related to MS05-051. I passed that to the crew working on the patch updates for the desktops. We aren't quite that nailed down (removing Everyone), but we're going to watch that patch carefully.

    MS should be checking these against NIST configured systems. Wonder if they missed this one.

    None of the systems I've updated so far have exhibited the behavior you described, so I think it is probably isolated to systems configured as yours.

    EDIT:

    Also, check out the ISC:

    http://isc.sans.org/diary.php

    Looks like there may be other issues and there is a lot of current activity on port 3372.

  8. #8
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    From the SANS Site

    http://isc.sans.org//index.php?on=diary



    We have had a report of problems with MS05-051. Here is what we have received. If anyone else is experiencing problems, please let us know.We have had a report of problems with MS05-051. Here is what we have received. If anyone else is experiencing problems, please let us know.

    A number of people have reported weird problems with one of the MS patches released yesterday, specifically MS05-051 Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400).

    Symptoms include, but are not limited to:

    - Inability to visit Windows Update
    - Inablility to use the Search tool off the Start Menu
    - blank screen (no icons) upon login
    - Symantec LiveUpdate stops working
    - SpySweeper stops working
    - problems with Office apps
    - VirtualPC becomes extremely sluggish

    Lee said he had spoken to a Microsoft engineer about this. From what he could tell:

    "this issue is only affecting people with very specific NTFS permissions. If the C:\Winnt\Registration\ folder is locked down and cannot be written to by COM+ you will have errors similar to those listed in your alert. All of those tasks use COM+ in one way or another."

    Uninstalling patch 902400 seems to do the trick for most folks. You may need to check the "Show Updates" box under Add/Remove Programs to see the hotfixes.

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  9. #9
    Well, the drama continues. The ISC has this on the handlers diary:

    http://isc.sans.org/

    Another perspective from Microsoft:

    'The solution will be available at http://support.microsoft.com/?id=909444,
    and will be linked to from the MS05-051 bulletin - hopefully within the
    hour. Feel free to communicate the cacls solution to anyone you come across
    until then. This is not a "known issue" or "problem" with the patch, but a
    "complexity with the increased security provided by the patch when running
    on systems where settings have been incorrectly changed from the default
    settings".'
    Looks like the NIST lockdown configuration is "incorrectly changed" from the default. Sounds like someone at MS is doing a CYA.


  10. #10
    Title: Microsoft Security Advisory Notification
    Issued: October 14, 2005
    ********************************************************************

    Security Advisory Released Today
    ==============================================

    * Security Advisory (909444)

    - Title: Various Issues After Installing Microsoft Security
    Bulletin MS05-051 on Systems That Have Non-default
    File Permissions


    - Web site: http://go.microsoft.com/fwlink/?LinkId=55088

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •