Larry Beezley scribbled:
The new patches (MS03-041, -043, -044 and -045) do not seem to be
directly applicable to my Win XP Home, stand-alone computer, but Win
Update wants me to have them. This is true, also, of 329170, a
security update for corporate nets.
Is it safe to assume the Win Update knows what it's doing? In the
above patches, Win XP Home is not mentioned though other XP
configurations are. TIA,
Larry
MS02-070: Flaw in SMB Signing May Permit Group Policy to Be Modified
This article was previously published under Q329170
SYMPTOMS
Support for the Server Message Block (SMB) protocol is included in all
versions of Windows. Although SMB is a file-sharing protocol, SMB is
also used for other purposes. One of these purposes is disseminating
Group Policy settings from domain controllers to computers that log on.
Beginning with Windows 2000, it is possible to improve the integrity of
SMB sessions by digitally signing all packets in a session. Windows 2000
and Windows XP can be configured to always sign, never sign, or sign
only if the other party requires it.
A flaw in the implementation of SMB signing in Windows 2000 and Windows
XP can permit an attacker to silently downgrade the SMB signing settings
on an affected computer. To do this, an attacker must have access to the
session negotiation data as it is exchanged between a client and server,
and must be able to modify the data in a way that exploits the flaw.
This can cause either or both computers to send unsigned data no matter
what signing policy the administrator sets. After the attacker
downgrades the signing setting, the attacker can continue to monitor and
change data in the session. The lack of signing prevents the
communicators from detecting the changes.
Although this vulnerability can be exploited to expose any SMB session
to tampering, the most serious case involves changing Group Policy
settings as they are disseminated from a Windows 2000-based domain
controller to a newly logged-on network client. By doing this, an
attacker can take actions such as adding users to the local
Administrators group or installing and running code on the computer.
Note that Windows XP cannot be used as a domain controller. Therefore,
this scenario does not apply to Windows XP. This is the highest-risk
scenario that is associated with the vulnerability.
The information in this article applies to:
a.. Microsoft Windows XP 64-Bit Edition
===> b.. Microsoft Windows XP Home Edition
c.. Microsoft Windows XP Professional
d.. Microsoft Windows XP Tablet PC Edition
e.. Microsoft Windows 2000 Advanced Server
f.. Microsoft Windows 2000 Professional
g.. Microsoft Windows 2000 Server
http://support.microsoft.com/default.aspx?kbid=329170
I follow the rule that if Windows update says my system needs an
update/fix then it is needed. I always read what the update is
updating/fixing *before* allowing the install by clicking on the "read
more..." link provided with all updates on the Windows update website.
