We have a Windows 2003 64 Bit Edition with Service Pack 2 installed. Our vulnerability scanner is reporting that this server is vulnerable to MS07-013 because %windir%\system32\riched20.dll version is version 18.104.22.1685. According to the security bulletin http://www.microsoft.com/technet/security/Bulletin/MS07-013.mspx this should be version 22.214.171.1246. Neither Microsoft Update or MBSA detect a patch needed on this system.
Is MS07-013 included in Windows 2003 sp2? Is the system still vulnerable? Who knows!
It is not included in the list of updates included in Windows 2003 SP2 http://support.microsoft.com/kb/914962
If %windir%\system32\riched20.dll version 126.96.36.1995 is considered “patched” in Windows 2003 sp2 than we need the security bulletin updated. If it is not patched then I need a patch released.
I’ve sent a note to my Microsoft TAM. We’ll see what happens.
I notice that a mailing list at patchmanagement.org reports four other curious patches. Those patches all have correct file versions on my server.
update – I heard back from my TAM. He provided this link which indicates MS07-013 is included in Windows 2003 sp2. While it doesn’t specify the version number to expect, it does say it will be earlier than if you applied the patch to a sp1 server.