MS Blast worm and Windows Update patch questions/problem

[Slickone]

Microsoft says on this page says the security patch MS03-026 is the one needed to protect from the blast worm, and some users may have already install the patch last month when it was released. But how do you figure out if you've already installed it? I do all the critical updates that it notifies me of, but when I go to to the Windows Update site and view the installation history (or XP's control panel->Add/Remove), they're not listed in an alphanumeric format such as MS03-026. They're listed instead as a 6 digit number such as 823980, some w/ a Q in front (and some only if viewing in control panel have a KB in front for some reason). Why aren't these number's the same format and how do you match them up with each other? I wondered this for a few days until I finally matched up MS03-026 with 823980, after Comcast sent it's users an email saying to go here for the patch information. But I still wonder why these #'s aren't the same format, and is this the easiest way to match these numbers up?? I imagine many people (including me) won't know to visit technet to do this, if it weren't for the email.
Also, when windows update notifies you, or you manually go to the windows update site and it lists the critical updates you need, it shows both # formats there too, so I'm saying how would you know if it's not listed there (as I mentioned above, you want to make sure you've already installed it).


And a problem I've having, when I went to the windows update site last week (8/12 or so) and did a scan, it didn't list that patch in the critical updates that I needed, but then on 8/16 it pops up notifying me that I needed to get it, and when I went to the windows update site on that day (8/16) and did a scan, it then listed it in the critical updates that I needed. Why wasn't it listed there on 8/12 since this patch came out in July (unless it's related to the next problem)?
And the other wierd problem, in windows update, under View Installation History, it lists that I've already installed this patch(!):
"Successful Wednesday, July 16, 2003 Security Update for Windows XP (823980)"
Tonight it's still listed in both sections. What's going on?

 

[Slickone]

^

 

[Slickone]

??

 

[Slickone]

bump

 

[Aznmask]

Slickone? r u a spammer?? you have just posted 3 spam reply.

 

[Bucksnort]

open expolorer and go to windows directory. Updates are listed first, look to see if 823980 is listed. If its there then forget it.

 

[Rapier21]

You can also go to the event viewer. (Start->Settings->Admin Tools->Event Viewer). Under the System Log, look for an Information type entry with the source "NtServicePack". Many windows updates create an entry in the event log when they are installed. Open up items that say NtServicePack. If the update was installed, one will say "Windows XP Hotfix KB823980 was installed." and the date of the event will be when the patch was installed. When searching, it will probably be most helpful to sort the list by the Source column then go find where the "Nt"-'s are. That hotfix should be one of the more recent entries in there. Mine was installed on 7/16/03, but yours may or may not be around that date if you have Automatic Updates disabled or such that it requires user intervention.

There is also a tool from Microsoft that can scan your network and tell you which computers are patched, but I've only heard about this from a co-worker, so it may or may not be true.

 

[Slickone]

Aznmask? r u an idiot?

 

[Bluefront]

Sometimes MS will update a patch, so the old version may not be available for a few days. Then the new version with the old number may appear when you scan for updates. Also you can find some of these patches in control panel, add/remove programs. The whole process could be documented better.

It amazes me how few people use the update site. Maybe this latest virus thing will wake up those "if it ain't broke, don't fix it" morons.

 

[Slickone]

Thanks Rapier21. I've got it, mine also on 7/16/2003:
"Windows XP Hotfix KB823980 was installed."
It's listed in my add/remove programs list also.

So any idea why the auto notify is still telling me that I need to download/install that update, and why after letting windows update site do a scan, it still says I need it?
Let me say that I delete the subfolders that show up in the beginning of the windows folder (they usually start with $) to keep things tidy there and to not have them show up in control panel->add/remove programs. I was told this is OK and it's been fine so far. Although oddly I have none listed in the windows directory now, but several are still listed in add/remove (why?). But it did work this way for awhile.

Also does no one know how to match up the hot fix numbers (see first post)?

 

[Slickone]

bump

 

[Slickone]

^

 

[Twista]

Originally posted by: Aznmask
Slickone? r u a spammer?? you have just posted 3 spam reply.

look @ his dates and times on his post.. than.. think.. again...

 

[SUOrangeman]

There is also the qfecheck utility (may be a separate download from MS) that gives you all the hotfixes you've applied. Most of the updates also show up in Add/Remove Programs control panel.

-SUO

 

[Slickone]

Originally posted by: SUOrangeman
There is also the qfecheck utility (may be a separate download from MS) that gives you all the hotfixes you've applied. Most of the updates also show up in Add/Remove Programs control panel.

-SUO

Have you tried qfecheck? I go through the setup wizard, it checks for necessary space, then says I've successfully completed the Q282784 setup wizard, and I click Finish. But it doesn't seem to have installed anything anywhere. I did a search on the whole drive.

 

[PowerMacG5]

There are many ways to tell if you have installed a patch. Firstly, when you go to Windows Update, you can view your installation history. Secondly, as you know, from Add/Remove programs. Thirdly, as suggested the Event Viewer. One other way is the systeminfo command. Go to a command prompt and type "systeminfo" (without the quotes) and under the section "Hotfixe(s)" you will see all applied hotfixes. Also, Aznmask, I believe you may be the spammer. Look at Slickone's Joined date, number of posts, and the time between the bumps. Bumps are perfectly acceptable, as long as they are not habitually used. Slickone used them twice in a five day period. How could Slickone be a spammer if he only has 1277 posts in four years? I qualify more to be a spammer than he does.

 

[Slickone]

Well I've already verified I have it, but am still wondering the questions I asked above (08/25/2003 11:42 PM), and also, for the heck of it, how to use qfecheck.

 

[SUOrangeman]

A few quick links on qfecheck:

qfecheck: http://support.microsoft.com:80/support/kb/articles/Q282/7/84.ASP

qfecheck without reboot: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q304864

-SUO, has used qfecheck successfully at least once

 

[Slickone]

qfecheck also verifies it installed. But again, see my post above (08/25/2003 11:42 PM).

 

[Rob G.]

KB823980 was the initial RPC vulnerability, which Blaster and Nachi took advantage of.

The new one is KB824146 (MS03-039) and superceeds the previous patch. You MUST install the new one, even if you have the old one.

Easiest way to check for sure if you're protected is to download Micrsoft's own scanning tool:

http://support.microsoft.com/?kbid=827363

Once you've downloaded and installed it (it's a standalone .exe file but it still needs to be unpacked etc) then just run it like this (from the command line):

kb824146scan.exe localhost

This will check the local machine and report back if it finds the original and/or new patch installed.

 

[Slickone]

Well if I don't have the correct patch installed, that makes sense as to why I'm still being notified to update. I thought it was notifying me to install 823980, but I'm not sure. I'm not at that PC now to check. Also either from the email Comcast sent, or from the sites I linked in the orig. post, I thought 823980 aka MS03-026 was the patch that fixed the vulnerability to the blaster worm that was going around at the time. For example, one of the M$ sites I linked said:
Your computer is not vulnerable to the Blaster worm if you downloaded and installed the security update that was addressed by Security Bulletin MS03-026 prior to August 11, the date the Blaster worm was discovered. However, you will need to download and install the update addressed by Security Bulletin MS03-039 in order to help ensure that you are not vulnerable to future variants of the Blaster worm.

So they don't explain it too well, IMO.

Also what's the easiest way for the average user to figure out that MS03-039 is KB824146? Besides the page you linked to of course, which is the first time I've seen that page since all this started.

 

[Rob G.]

I thought 823980 aka MS03-026 was the patch that fixed the vulnerability to the blaster worm that was going around at the time

Correct, as I said above.

So they don't explain it too well, IMO

Well, it seems pretty clear from here.

Your computer is not vulnerable to the Blaster worm if you downloaded and installed the security update that was addressed by Security Bulletin MS03-026 prior to August 11, the date the Blaster worm was discovered. However, you will need to download and install the update addressed by Security Bulletin MS03-039 in order to help ensure that you are not vulnerable to future variants of the Blaster worm

I honestly don't see any ambiguity there. Any future variants of Blaster (and other new viruses) are likely to take advantage of the just-discovered additional vulnerability. You need the new patch.

Also what's the easiest way for the average user to figure out that MS03-039 is KB824146?

The average user would go to Windows Update and just get the patch. If they wanted to read up on a little more, they'd end up at the page I quoted before.

 

[Slickone]

Originally posted by: Rob G.

I thought 823980 aka MS03-026 was the patch that fixed the vulnerability to the blaster worm that was going around at the time

Correct, as I said above.

Well this is what I've thought all along. Meaning 823980 got rid of all risks of getting the blaster worm. Nothing else needed. But you said:
KB823980 was the initial RPC vulnerability, which Blaster and Nachi took advantage of.
Which to me sounds like you're saying that 823980 didn't patch the vulnerability to the blaster worm, but instead, whatever it was intended to fix, it also created the vulnerability to the blaster worm.

The new one is KB824146 (MS03-039) and superceeds the previous patch. You MUST install the new one, even if you have the old one.[/i]

Must for what, blaster?

So they don't explain it too well, IMO

Well, it seems pretty clear from here.

Your computer is not vulnerable to the Blaster worm if you downloaded and installed the security update that was addressed by Security Bulletin MS03-026 prior to August 11, the date the Blaster worm was discovered. However, you will need to download and install the update addressed by Security Bulletin MS03-039 in order to help ensure that you are not vulnerable to future variants of the Blaster worm

Again, this seemed to say that ms03-026 fixed all your problems, and ms03-039 was only to stop future worms. So it did seem pretty clear to me until you said:
KB823980 was the initial RPC vulnerability, which Blaster and Nachi took advantage of.

Also what's the easiest way for the average user to figure out that MS03-039 is KB824146?

The average user would go to Windows Update and just get the patch. If they wanted to read up on a little more, they'd end up at the page I quoted before.

Well I did that, which if you read my original post, is half of my question/problem. To summarize, at one time when I went to Windows Update page, it didn't list me needing either of these updates (which could be because of what Bluefront described above). But then a few days later I get an auto update notification that I need ms03-026 (823980). At that time Windows Update said I needed it as well. But also at that instance, Windows Update listed that I already had 823980 under installation history. So I'm still getting auto notifies that I need 823980, even though WU installation history, Event Viewer, and qfecheck all say I already have it.