MS08-038 and KB950582

Hi all,

A customer ask me something about this bulletin,

Microsoft Security Bulletin MS08-038 – Important
http://www.microsoft.com/technet/sec.../ms08-038.mspx

MS08-038: Vulnerability in Windows Explorer could allow remote code execution
http://support.microsoft.com/kb/950582/en-us

The customer uses WSUS to apply the updates and they ask me about this
because this one only apply for Vista and W2k8, but they found this update
for XP with the same KB. The problem is that WSUS don’t show this update for
XP.

For example:

Update for Windows XP (KB950582
http://www.microsoft.com/downloads/d...4-1721D7B8DAA5

Update for Windows Server 2003 (KB950582
http://www.microsoft.com/downloads/d...2-40CA63A967FB

We don’t understand why exist an update for xp, 2k3 and 2k if the bulletin
only apply to Vista and 2k8? Or why with the same KB.

When I try to download the update for all versions the Brief Description is
the same, “Install this update to resolve an issue in which AutoRun features
were not correctly disabled.�

Someone can help me to understand this situation?

Thanks in advance

[Right pew, wrong church. Forwarded to WSUS newsgroup
(microsoft.public.windows.server.update_services) via crosspost as a
convenience to OP.

On the web:
http://www.microsoft.com/communities...pdate_services

In your newsreader:
news://msnews.microsoft.com/microsof...pdate_services
]

Joan Delgado wrote:
> Hi all,
>
> A customer ask me something about this bulletin,
>
> Microsoft Security Bulletin MS08-038 – Important
> http://www.microsoft.com/technet/sec.../ms08-038.mspx
>
> MS08-038: Vulnerability in Windows Explorer could allow remote code
> execution http://support.microsoft.com/kb/950582/en-us
>
> The customer uses WSUS to apply the updates and they ask me about this
> because this one only apply for Vista and W2k8, but they found this update
> for XP with the same KB. The problem is that WSUS don’t show this update
> for
> XP.
>
> For example:
>
> Update for Windows XP (KB950582)
> http://www.microsoft.com/downloads/d...4-1721D7B8DAA5
>
> Update for Windows Server 2003 (KB950582)
> http://www.microsoft.com/downloads/d...2-40CA63A967FB
>
> We don’t understand why exist an update for xp, 2k3 and 2k if the bulletin
> only apply to Vista and 2k8? Or why with the same KB.
>
> When I try to download the update for all versions the Brief Description
> is
> the same, “Install this update to resolve an issue in which AutoRun
> features
> were not correctly disabled.�
>
> Someone can help me to understand this situation?
>
> Thanks in advance

> Joan Delgado wrote:
>> Hi all,
>>
>> A customer ask me something about this bulletin,
>>
>> Microsoft Security Bulletin MS08-038 – Important
>> http://www.microsoft.com/technet/sec.../ms08-038.mspx
>>
>> MS08-038: Vulnerability in Windows Explorer could allow remote code
>> execution http://support.microsoft.com/kb/950582/en-us
>>
>> The customer uses WSUS to apply the updates and they ask me about this
>> because this one only apply for Vista and W2k8, but they found this
>> update
>> for XP with the same KB. The problem is that WSUS don’t show this update
>> for XP.
>>
>> For example:
>>
>> Update for Windows XP (KB950582)
>> http://www.microsoft.com/downloads/d...4-1721D7B8DAA5
>>
>> Update for Windows Server 2003 (KB950582)
>> http://www.microsoft.com/downloads/d...2-40CA63A967FB
>>
>> We don’t understand why exist an update for xp, 2k3 and 2k if the
>> bulletin
>> only apply to Vista and 2k8? Or why with the same KB.
>>
>> When I try to download the update for all versions the Brief Description
>> is
>> the same, “Install this update to resolve an issue in which AutoRun
>> features
>> were not correctly disabled.�
>>
>> Someone can help me to understand this situation?

I've channeled this question up to the WSUS Product Team for their
investigation.



--
Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

PA Bear cross-posted something Joan Delgado wrote:

>> MS08-038: Vulnerability in Windows Explorer could allow remote code
>> execution http://support.microsoft.com/kb/950582/en-us
>>
>> The customer uses WSUS to apply the updates and they ask me about this
>> because this one only apply for Vista and W2k8, but they found this
>> update for XP with the same KB. The problem is that WSUS don’t show this
>> update for XP.

It looks as though the Windows XP version of the update is not considered
important enough to be released via WSUS, but has received enough testing to be
made available via the download center.

>> We don’t understand why exist an update for xp, 2k3 and 2k if the
>> bulletin only apply to Vista and 2k8?

As I understand it, the update corrects an issue which exists in all of these
Windows versions. However, the issue only creates a security vulnerability on
Vista and 2008.

There is more information about the 2k/XP/2003 update in KB953252:

<http://support.microsoft.com/kb/953252/>

http://support.microsoft.com/kb/953252/

Harry.

Thanks Lawrence,

i'll be happy if you explain me the reason of this strange method to public
the kb article an bulletin.

if you can, forward me the answer of WSUS Product Team

Thanks in advance

"Lawrence Garvin (MVP)" wrote:

> > Joan Delgado wrote:
> >> Hi all,
> >>
> >> A customer ask me something about this bulletin,
> >>
> >> Microsoft Security Bulletin MS08-038 – Important
> >> http://www.microsoft.com/technet/sec.../ms08-038.mspx
> >>
> >> MS08-038: Vulnerability in Windows Explorer could allow remote code
> >> execution http://support.microsoft.com/kb/950582/en-us
> >>
> >> The customer uses WSUS to apply the updates and they ask me about this
> >> because this one only apply for Vista and W2k8, but they found this
> >> update
> >> for XP with the same KB. The problem is that WSUS don’t show this update
> >> for XP.
> >>
> >> For example:
> >>
> >> Update for Windows XP (KB950582)
> >> http://www.microsoft.com/downloads/d...4-1721D7B8DAA5
> >>
> >> Update for Windows Server 2003 (KB950582)
> >> http://www.microsoft.com/downloads/d...2-40CA63A967FB
> >>
> >> We don’t understand why exist an update for xp, 2k3 and 2k if the
> >> bulletin
> >> only apply to Vista and 2k8? Or why with the same KB.
> >>
> >> When I try to download the update for all versions the Brief Description
> >> is
> >> the same, “Install this update to resolve an issue in which AutoRun
> >> features
> >> were not correctly disabled.�
> >>
> >> Someone can help me to understand this situation?
>
> I've channeled this question up to the WSUS Product Team for their
> investigation.
>
>
>
> --
> Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2009)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My Websites: http://www.onsitechsolutions.com;
> http://wsusinfo.onsitechsolutions.com
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>
>

Thanks Harry,

I think that its all for me.

I'm waiting for answer of Lawrence too.

Thanks

"Harry Johnston [MVP]" wrote:

> PA Bear cross-posted something Joan Delgado wrote:
>
> >> MS08-038: Vulnerability in Windows Explorer could allow remote code
> >> execution http://support.microsoft.com/kb/950582/en-us
> >>
> >> The customer uses WSUS to apply the updates and they ask me about this
> >> because this one only apply for Vista and W2k8, but they found this
> >> update for XP with the same KB. The problem is that WSUS don’t show this
> >> update for XP.
>
> It looks as though the Windows XP version of the update is not considered
> important enough to be released via WSUS, but has received enough testing to be
> made available via the download center.
>
> >> We don’t understand why exist an update for xp, 2k3 and 2k if the
> >> bulletin only apply to Vista and 2k8?
>
> As I understand it, the update corrects an issue which exists in all of these
> Windows versions. However, the issue only creates a security vulnerability on
> Vista and 2008.
>
> There is more information about the 2k/XP/2003 update in KB953252:
>
> <http://support.microsoft.com/kb/953252/>
>
> http://support.microsoft.com/kb/953252/
>
> Harry.
>

Why isn't this patch "important enough" to push the 2k, 2k3 and XP patches to
WSUS so they are able to be deployed? We are required to push this out to an
ungodly amount of computers. Can nothing else be done to add these patches?
If not, is there a way to add it to our WSUS 3.0 server?

"Harry Johnston [MVP]" wrote:

> PA Bear cross-posted something Joan Delgado wrote:
>
> >> MS08-038: Vulnerability in Windows Explorer could allow remote code
> >> execution http://support.microsoft.com/kb/950582/en-us
> >>
> >> The customer uses WSUS to apply the updates and they ask me about this
> >> because this one only apply for Vista and W2k8, but they found this
> >> update for XP with the same KB. The problem is that WSUS don’t show this
> >> update for XP.
>
> It looks as though the Windows XP version of the update is not considered
> important enough to be released via WSUS, but has received enough testing to be
> made available via the download center.
>
> >> We don’t understand why exist an update for xp, 2k3 and 2k if the
> >> bulletin only apply to Vista and 2k8?
>
> As I understand it, the update corrects an issue which exists in all of these
> Windows versions. However, the issue only creates a security vulnerability on
> Vista and 2008.
>
> There is more information about the 2k/XP/2003 update in KB953252:
>
> <http://support.microsoft.com/kb/953252/>
>
> http://support.microsoft.com/kb/953252/
>
> Harry.
>

Eddie wrote:

> Why isn't this patch "important enough" to push the 2k, 2k3 and XP patches to
> WSUS so they are able to be deployed?

I don't know what criteria Microsoft use to make these decisions. Nor do I have
any special information about whether this patch will appear on WSUS and/or the
Microsoft Update catalog in the future; for all I know, it will show up
tomorrow. I wouldn't bet on it.

> We are required to push this out to an ungodly amount of computers.

May I ask why? As you've managed without it so far, at the very least I don't
see why there should be any great urgency.

> Can nothing else be done to add these patches?

Presumably you already use some mechanism to install things like third-party
software updates on these computers; the same mechanism should be able to
install this update. You could, for example, use a startup script.

> If not, is there a way to add it to our WSUS 3.0 server?

Technically this is possible, but other methods would be significantly easier.

Harry.

Hi Eddie,

In WSUS automatically only shows the patches that Microsoft develop because
there are a Security Bulletin (critical, important...) that define the
vulnerability.

WSUS automatically don't shows all of patches/hotfixes that Microsoft
develops.

In this case, the situation is rare. I attempt to explain it.

Microsoft in July'08 published a Security Bulletin because detect a possible
vulnerability about remote execution.
This vulnerability was detected in Vista and W2k8. MS develop a hotfix to
resolve this. This hotfix modify the shell of windows,
specifically Shell32.dll. Is for this reason that the KB950582 only affect
to Vista and W2k8.

Later (August'08), MS write a procedure to disable by registry the AutoRun
(KB953252) and this procedure only applies to W2k, W2k3, WXP,Wvista.
MS found that although the procedure was implemented, the result was No OK,
but en WVista was Ok. This situation was because they
need to modify also in XP,2k and 2k3 the shell32.dll, the same modification
that KB950582 made.

In this case MS decided to publish this modification (for XP,2k..) with the
same KB because both modified the same, but one (vista & 2k8) was for a
critical vulnerability,
and the other was only a prerequisit to run a procedure. Is, for this reason
that exist KB950582 hotfix for all the systems but, WSUS only shows for Vista
and W2k8.

I was very confused with this decision...

The conclusion, i think is: You must install hotfix KB950582 on Vista and
W2k8 because exista Important Vulnerability, and on Xp, 2k and 2k3 you
install only if you need to
implement the KB953252. (There aren't problem if you install on all of
sistems)

Sorry for my english, and I hope that i have clarified your doubts.

Joan

"Eddie" wrote:

> Why isn't this patch "important enough" to push the 2k, 2k3 and XP patches to
> WSUS so they are able to be deployed? We are required to push this out to an
> ungodly amount of computers. Can nothing else be done to add these patches?
> If not, is there a way to add it to our WSUS 3.0 server?
>
> "Harry Johnston [MVP]" wrote:
>
> > PA Bear cross-posted something Joan Delgado wrote:
> >
> > >> MS08-038: Vulnerability in Windows Explorer could allow remote code
> > >> execution http://support.microsoft.com/kb/950582/en-us
> > >>
> > >> The customer uses WSUS to apply the updates and they ask me about this
> > >> because this one only apply for Vista and W2k8, but they found this
> > >> update for XP with the same KB. The problem is that WSUS don’t show this
> > >> update for XP.
> >
> > It looks as though the Windows XP version of the update is not considered
> > important enough to be released via WSUS, but has received enough testing to be
> > made available via the download center.
> >
> > >> We don’t understand why exist an update for xp, 2k3 and 2k if the
> > >> bulletin only apply to Vista and 2k8?
> >
> > As I understand it, the update corrects an issue which exists in all of these
> > Windows versions. However, the issue only creates a security vulnerability on
> > Vista and 2008.
> >
> > There is more information about the 2k/XP/2003 update in KB953252:
> >
> > <http://support.microsoft.com/kb/953252/>
> >
> > http://support.microsoft.com/kb/953252/
> >
> > Harry.
> >

Hi Eddie

this info i think is a good info:

There were two separate issues involved here:
1) Autorun
2) Windows Explorer Search - RCE

#1 Autorun was an advisory which affected XP / WS03 / Vista and was placed
only on the DLC because it was an advisory.
However, the Vista package also contained #2 (Windows Explorer Search – RCE)
and is why it was released via WU / WSUS.

If you look under the FAQ for MS08-038, you will see it also contains the
following:

Does this update contain any security-related changes to functionality?
Yes. Besides the changes that are listed in the “Vulnerability Details�
section of this bulletin, this security update also resolves a publicly known
issue with Autorun functionality in Windows Vista and Windows Server 2008
systems. The update correctly disables the right-click and double-click
behavior controlled by the NoDriveTypeAutorun registry key. This corrects the
issue identified in CVE-2008-0951 on Windows Vista and Windows Server 2008.
For more information on the usage of this registry key, see the TechNet
article, NoDriveTypeAutoRun.

Hope this helps.


--
Joan Delgado
blog: http://www.onlydifferent.net


"Eddie" wrote:

> Why isn't this patch "important enough" to push the 2k, 2k3 and XP patches to
> WSUS so they are able to be deployed? We are required to push this out to an
> ungodly amount of computers. Can nothing else be done to add these patches?
> If not, is there a way to add it to our WSUS 3.0 server?
>
> "Harry Johnston [MVP]" wrote:
>
> > PA Bear cross-posted something Joan Delgado wrote:
> >
> > >> MS08-038: Vulnerability in Windows Explorer could allow remote code
> > >> execution http://support.microsoft.com/kb/950582/en-us
> > >>
> > >> The customer uses WSUS to apply the updates and they ask me about this
> > >> because this one only apply for Vista and W2k8, but they found this
> > >> update for XP with the same KB. The problem is that WSUS don’t show this
> > >> update for XP.
> >
> > It looks as though the Windows XP version of the update is not considered
> > important enough to be released via WSUS, but has received enough testing to be
> > made available via the download center.
> >
> > >> We don’t understand why exist an update for xp, 2k3 and 2k if the
> > >> bulletin only apply to Vista and 2k8?
> >
> > As I understand it, the update corrects an issue which exists in all of these
> > Windows versions. However, the issue only creates a security vulnerability on
> > Vista and 2008.
> >
> > There is more information about the 2k/XP/2003 update in KB953252:
> >
> > <http://support.microsoft.com/kb/953252/>
> >
> > http://support.microsoft.com/kb/953252/
> >
> > Harry.
> >