!KB904706 conflicting info on MS websites..

KB904706 is one of today's monthly updates...

On this MS page it says [clearly] it's for:

Microsoft DirectX 9.0, 9.0a, 9.0b, and 9.0c when installed on Windows XP
Service Pack 1
http://www.microsoft.com/technet/sec.../ms05-050.mspx

[nothing about Windows XP service pack 2 at all]


While the monthly email notification security bulletin says:

Title: Microsoft Security Bulletin Summary for October 2005
Issued: October 11, 2005
Version Number: 1.0
Bulletin: http://go.microsoft.com/fwlink/?LinkId=54789
************************************************** ******************

Summary:
========
This advisory contains information about all security updates
released this month. It is broken down by security bulletin severity.

Critical Security Bulletins
===========================

MS05-050 - Vulnerability in DirectShow Could Allow Remote Code
Execution (904706)

- Affected Software:
- Windows 2000 Service Pack 4
- Windows XP Service Pack 1

===> - Windows XP Service Pack 2 <===

- Windows XP Professional x64 Edition
- Windows Server 2003
- Windows Server 2003 Service Pack 1
- Windows Server 2003 for Itanium-based Systems
- Windows Server 2003 with SP1 for Itanium-based Systems
- Windows Server 2003 x64 Edition

--

Replace the obvious with paradise.net to email me
Found Images
http://homepages.paradise.net.nz/~mlvburke

Hi,

Security Bulletin MS05-050 (KB904706) also have the following text:

• Microsoft DirectX 8.1 on Microsoft Windows XP Service Pack 1 and on
Microsoft Windows XP with Service Pack 2 – Download the update

This is very confusing text, as SP2 for WinXP installs DirectX 9.0c.


It should have been something like this:

• Microsoft DirectX 8.1 on Microsoft Windows XP Service Pack 1 and
Microsoft DirectX 9.0c on Microsoft Windows XP with Service Pack 2 –
Download the update

or maybe better split it on two lines, one for WinXP SP1 and one for
WinXP SP2:

• Microsoft DirectX 8.1 on Microsoft Windows XP Service Pack 1
– Download the update
• Microsoft DirectX 9.0c on Microsoft Windows XP Service Pack 2
– Download the update

where both points to the same download link.

Regards,
Torgeir


Max Burke wrote:

>
> KB904706 is one of today's monthly updates...
>
> On this MS page it says [clearly] it's for:
>
> Microsoft DirectX 9.0, 9.0a, 9.0b, and 9.0c when installed on Windows XP
> Service Pack 1
> http://www.microsoft.com/technet/sec.../ms05-050.mspx
>
> [nothing about Windows XP service pack 2 at all]
>
>
> While the monthly email notification security bulletin says:
>
> Title: Microsoft Security Bulletin Summary for October 2005
> Issued: October 11, 2005
> Version Number: 1.0
> Bulletin: http://go.microsoft.com/fwlink/?LinkId=54789
> ************************************************** ******************
>
> Summary:
> ========
> This advisory contains information about all security updates
> released this month. It is broken down by security bulletin severity.
>
> Critical Security Bulletins
> ===========================
>
> MS05-050 - Vulnerability in DirectShow Could Allow Remote Code
> Execution (904706)
>
> - Affected Software:
> - Windows 2000 Service Pack 4
> - Windows XP Service Pack 1
>
> ===> - Windows XP Service Pack 2 <===
>
> - Windows XP Professional x64 Edition
> - Windows Server 2003
> - Windows Server 2003 Service Pack 1
> - Windows Server 2003 for Itanium-based Systems
> - Windows Server 2003 with SP1 for Itanium-based Systems
> - Windows Server 2003 x64 Edition
>


--
torgeir, Microsoft MVP Scripting, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx

Hi,

And now the text at
http://www.microsoft.com/technet/sec.../ms05-050.mspx

is updated to state

• Microsoft DirectX 8.1 on Microsoft Windows XP Service Pack 1 and
Microsoft DirectX 9.0c on Microsoft Windows XP with Service Pack 2
– Download the update


instead of the old text:

• Microsoft DirectX 8.1 on Microsoft Windows XP Service Pack 1 and on
Microsoft Windows XP with Service Pack 2 – Download the update


Regards,
Torgeir

Torgeir Bakken (MVP) wrote:

> Hi,
>
> Security Bulletin MS05-050 (KB904706) also have the following text:
>
> • Microsoft DirectX 8.1 on Microsoft Windows XP Service Pack 1 and on
> Microsoft Windows XP with Service Pack 2 – Download the update
>
> This is very confusing text, as SP2 for WinXP installs DirectX 9.0c.
>
>
> It should have been something like this:
>
> • Microsoft DirectX 8.1 on Microsoft Windows XP Service Pack 1 and
> Microsoft DirectX 9.0c on Microsoft Windows XP with Service Pack 2 –
> Download the update
>
> or maybe better split it on two lines, one for WinXP SP1 and one for
> WinXP SP2:
>
> • Microsoft DirectX 8.1 on Microsoft Windows XP Service Pack 1
> – Download the update
> • Microsoft DirectX 9.0c on Microsoft Windows XP Service Pack 2
> – Download the update
>
> where both points to the same download link.
>
> Regards,
> Torgeir
>
>


--
torgeir, Microsoft MVP Scripting, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx

And that's only the beginning of the conflicting information.

Under 'Affected Software', DirectX 7.0 on Win2K SP4 is listed.

Under 'Affected Components', it seems all versions of DirectX 8 & 9 are
listed when installed on Win2K SP4. There's no mention of DirectX 7.

The second issue is that Win2K SP4 or Windows 2003 Server system is
scanning for MS05-050. We have the updated mssecure.cab and XML file,
and MS05-050 is listed within.

Looking at the scanwrapper.log file however, there is no mention of
MS05-050 at all, applicable or not.

This is occurring on both Win2K and 2003 Servers. Windows XP appears
unaffected by this glitch.

Do you know what we should do about this?

Further inspection of the XML file shows that there are no download
locations listed for the Win2K or Win2K3 versions of the MS05-050
patch.

Get ready for a resync!

I'll just keep answering myself

Just spent 2 hours on the phone with PSS, although the article mentions
that MBSA should pick up the update, it doesn't, and they actually
(just yesterday) updated the Extended Security Update Inventory Tool to
detect MS05-050 on Win2K SP4 and Win2K3 RTM and neglected to mention
that anywhere in the article.

Well, they did mention it on the Tool download page:

http://www.microsoft.com/downloads/d...displaylang=en

but how would you know that unless you knew to go to that page in the
first place....