KB971961 (Networking Products)
At 09 OCT 2009 02:10:36PM Harold Vance wrote:
I'm dubbing the patch KB971961 "HotGlue."
We just had a power outage, an outage which somehow reactivated the KB971961 hotfix even though the database server, which is running on a heavy duty UPS, never lost power. Somehow we had disabled the hotfix without uninstalling it (not sure how that happened - lol), and then the power outage triggered the UPS software to perform some action (maybe an email notification attempt?) that caused the database server to reload or run the patched JSCRIPT.DLL. Again, the server did not do a restart or shut down, so it had to be the APC software that triggered the chain of events.
Yes, this is all just conjecture, but the second "removal" (lol!) of the hotfix cleared the 30-second delays and fatal errors that we had started to experience all over again.
(Ironically, we have had far more power outages this year than we had after Ike came over us in 2008. We only lost power for like four hours during and after Ike.)
Is UD 4.5 using a backdoor that the JSCRIPT.DLL hotfix is cementing shut?
DOMAIN CONTROLLER
OS Name: Windows Server 2003, Enterprise Edition
Version: 5.2.3790 Service Pack 2 Version 3790
DATABASE SERVER
OS: Windows Server 2003, Standard Edition
Version: 5.2.3790 Service Pack 2 Version 3790
Revelation Driver: UD 4.5.0.0
TCP/IP Port: 777
Maybe port 777 is getting some hotglue treatment? That would be my best guess.
At 09 OCT 2009 02:37PM Harold Vance wrote:
From OSVDB.ORG:
57804 : Microsoft JScript Scripting Engine Memory Corruption Arbitrary Code Execution
(Description Provided by CVE) : The JScript scripting engine 5.1, 5.6, 5.7, and 5.8 in JScript.dll in Microsoft Windows, as used in Internet Explorer, does not properly load decoded scripts into memory before execution, which allows remote attackers to execute arbitrary code via a crafted web site that triggers memory corruption, aka "JScript Remote Code Execution Vulnerability."
CVE ID: 2009-1920 (see also: NVD)
Bugtraq ID: 36224
Secunia Advisory ID: 36551
Microsoft Knowledge Base Article: 971961
News Article: http://news.cnet.com/8301-13860_3-10346665-56.html
Microsoft Security Bulletin: MS09-045
This article is also interesting:
MS09-045 is not a typical update from Microsoft and is particularly dangerous since it positions JavaScript as a weapon of choice by attackers, said Josh Abraham, security researcher for Rapid7.
Abraham added that after all the ATL buzz in August, Microsoft is apparently going back to the basics with the TCP/IP updates in MS09-048.
At 09 OCT 2009 03:04PM Jared Bratu wrote:
When this problem occurs can you start the Universal Driver manager?
Does it experience the 30 second delay?
If you start the universal driver in debug mode can you determine what happens during the 30 second delay?
My previous questions still stand. You have provided a lot of detailed information but I don't think the patches are the cause of the underlying problem based on the information provided.
The UD does not use the JScript.DLL file.
At 09 OCT 2009 05:28PM Harold Vance wrote:
I appreciate the response. What is the command to start the Universal Driver in debug mode?
At 10 OCT 2009 04:20AM Harold Vance wrote:
It appears that the NICs on the domain controller (Dell PowerEdge 2950) may be the culprit. The PEdiag program was showed errors on both NICs even though the server seemed like it was running ok.
The NICs may have been sending garbage to the database server, and the garbage was causing LH45SRVC.EXE to stall for short intervals ranging from five to 30 seconds.
We updated the firmware for the DC and installed new drivers. We also ran LH45SRVC.EXE in debug mode. Everything looks back to normal for now. We'll know more by Monday.