Bugtraq mailing list archives
Re: How the MS Critical Update Notification works...
From: hayward () SLOTHMUD ORG (Brian Hayward)
Date: Thu, 28 Jan 1999 10:59:37 -0600
So the weakest link here is the nameserver. If someone is able to compromise your nameserver. I wonder what type of validation is done within the update utility. Does it check to see if the resolved address is indeed a valid microsoft IP address, or are there any other security checks that prevent installation of updates from a non-microsoft site? --- Brian Hayward hayward () slothmud org http://www.slothmud.org/~hayward/mic_humor.html :Microsoft Humor On Thu, 28 Jan 1999, HD Moore wrote: #Here is an overview of how Windows 98 determines if an update is available #via the Critical Update Notification utility. All of the information here #was obtained through packet dumps, so if anyone from M$ would like to #correct this, feel free to do so. # # #Step A #---------- # #Windows 98 will try to resolve the address 'windowsupdate.microsoft.com' #after you either open an IE4 window, or about every 5 minutes. If it can #resolve that address you proceed to step B, otherwise it waits and tries #again in a few minutes. # #Step B #---------- # #The update program will connect to 'windowsupdate.microsoft.com' on port 80 #and attempts to retrieve a CAB file called cucif.cab. If this file is #retrieved successfully, you go on to step C, otherwise it waits and tries #again. # #( the full GET request sent ) # #-- snip -- #GET /x86/W98/en/ie4/cucif.cab HTTP/1.1 #Accept: application/vnd.ms-excel, application/msword, #application/vnd.ms-powerpoint, */* #Accept-Language: en-us #Accept-Encoding: gzip, deflate #User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 98) #Host: windowsupdate.microsoft.com #Connection: Keep-Alive #Cookie: MC1=ID=f738117cd92911d2933f0f08d79a2879 #-- unsnip -- # # #Step C #---------- # #Inside the cab is a file called 'cucif.cif', this file has a list of all #critical updates for Windows 98. The update program checks this list #against its list of installed updates and if a new one is found it will #present the user with a dialog. If the user chooses to accept the update, #they are sent to the windowsupdate site via IE4. # #(a cut from 'cucif.cif') # #-- snip -- #[oepatch] #DisplayName=%oepatch% #Version=4,72,3135,0 #Locale=%L_oepatch% #_CriticalUpdateDependencies=mailnews #GUID={AC84C7C0-21A1-11d2-AF1D-00C04FA35D02} #Reboot=1 #URL1="OEPATSP1.EXE",2 #Size1=1097,1110 #Command1="oepatsp1.exe" #Type1=1 #Switches1="/Q:A /R:N" #Size=1103,24 #-- unsnip -- # # #Anyways, I hope someone found this useful. # # #HD Moore #http://nlog.ings.com #http://www.trinux.org #
Current thread:
- [HERT] ANNOUNCE: linux auditd daemon 1.10 Anthony C . Zboralski (Jan 26)
- Re: [HERT] ANNOUNCE: linux auditd daemon 1.10 Anthony C . Zboralski (Jan 27)
- Unix Security Kernel Changes Jonathan A. Zdziarski (Jan 27)
- Responses to: Unix Security Kernel Changes Jonathan A. Zdziarski (Jan 28)
- Re: Responses to: Unix Security Kernel Changes Paul Braman (Jan 29)
- WebTrends Security Analyzer v2.0 now available<WTID-100244707> wiseleo () BEST COM (Jan 29)
- Re: Responses to: Unix Security Kernel Changes Michael H. Warfield (Jan 29)
- Security Advisory for Internet Information Server 4 with Site mnemonix (Jan 30)
- Responses to: Unix Security Kernel Changes Jonathan A. Zdziarski (Jan 28)
- How the MS Critical Update Notification works... HD Moore (Jan 27)
- Re: How the MS Critical Update Notification works... Brian Hayward (Jan 28)
- EDA/SQL Victor A. Rodriguez (Jan 28)