MSXML & KB925672

KB925672 was not offered to me for download on 11 Oct, along with 6 other
criticals/security updates.
The download notification for this KB has just popped up.
Seeing that some others have been having problems with this particular
update since 10 Oct, I was wondering if I need it and why it was not in the
first offering.
A search shows that there are number of msxml2, 2r, 3, 3r, 4, 4r
already in my system.
Having read all the threads on this item and at MS, I am afraid I have no
clear idea as to what it is for other than it has some connection with
obtaining updates from MS.
Before I download any update I do like to try and comprehend what and why I
am installing such on my computer.

The MS update info is;
A vulnerability exists in MS XML Core Services that could allow for
information disclosure because the XMLHTTP ActiveX control incorrectly
interprets an HTTP server-side redirect.

How can MS expect an average computer user to understand such techno-speak.

Perhaps they are trying to explain why their WU Home page keeps crashing etc
every Black Tuesday.

Should I install or not? And if so, from here I assume

http://www.microsoft.com/downloads/r...DisplayLang=en

And once again, a search for this KB number in MS Download Search in windows
security & updates produces a negative response, as normal? Search in the
Results page finds it?

Rgds
Antioch

Yes, you should apply this security update. The problems that most people
encountered when the update went live were because Windows Update/Microsoft
Update was not properly seeing the patch was successful and a reboot was
requested. The update was installed for these cases. The update has been
fixed to properly detect when patch is successful and a reboot is required.

Thanks,
Peter Saddow
Microsoft

"antioch" wrote:

> KB925672 was not offered to me for download on 11 Oct, along with 6 other
> criticals/security updates.
> The download notification for this KB has just popped up.
> Seeing that some others have been having problems with this particular
> update since 10 Oct, I was wondering if I need it and why it was not in the
> first offering.
> A search shows that there are number of msxml2, 2r, 3, 3r, 4, 4r
> already in my system.
> Having read all the threads on this item and at MS, I am afraid I have no
> clear idea as to what it is for other than it has some connection with
> obtaining updates from MS.
> Before I download any update I do like to try and comprehend what and why I
> am installing such on my computer.
>
> The MS update info is;
> A vulnerability exists in MS XML Core Services that could allow for
> information disclosure because the XMLHTTP ActiveX control incorrectly
> interprets an HTTP server-side redirect.
>
> How can MS expect an average computer user to understand such techno-speak.
>
> Perhaps they are trying to explain why their WU Home page keeps crashing etc
> every Black Tuesday.
>
> Should I install or not? And if so, from here I assume
>
> http://www.microsoft.com/downloads/r...DisplayLang=en
>
> And once again, a search for this KB number in MS Download Search in windows
> security & updates produces a negative response, as normal? Search in the
> Results page finds it?
>
> Rgds
> Antioch
>
>
>

Hello Peter
Thank you for your reply.
I have been trying to place your reply in context with

http://www.microsoft.com/downloads/d...displaylang=en

Refers to MS06-061 - Download
Version 1
Date published shows 10.6.2006 - 6 Oct or 10 June?
Refers to 2 articles, 925672 & 924191.

On that page selecting MS06-061 links to an item about KB924191 - Updated
Oct 11 2006 Version 1.1

On that same page selecting KB925672 links to an article re that number.
Mentions:-
Revision 1.0
Last Review Oct 10
The para headed 'Known Issues with etc etc' - alas means nothing to me
whatsoever.

On that same page selecting KB924191 links to an article re this KB number.
Mentions:-
Last Review Oct 11
Revision 2.0
Selecting the link to Home Users brings up the Oct security updates MS
numbers, which of course includes 061.
Published Oct 10

NB - how can Revision 1 of KB925672 equate to Revision 2 of KB924191 when
925672 came after 924191?

Going here

http://www.microsoft.com/downloads/d...displaylang=en

Gives the download I used for 924191.
Updated Oct 11
Version 1.1

I can make no sense from the above at all.

Re your reply, I asked if I need this 925672 and why? when 924191 is
installed without problem.
You say "The problems that most people.....when the update {what update?
924191 or 925672).........was not seeing the patch{what patch?}was
successful and a reboot was requested".

I save to disk, install and reboot on every update.

You go on to say "The update was installed {do you mean offered for
install}for these cases{which as far as I can see have not effected me -
unless of course you mean the problems with 925672}. The update has been
fixed to properly detect when patch{what patch?} is successful and a reboot
is required"

Unless I have understood this matter the wrong way, it appears that 925672
was a fix/patch for those who installed 924191 and failed to reboot because
the update forgot to tell them to do so, and as a result what was installed
was now a 'bug in the works'
and has caused or left something that has needed to be corrected.

I have no desire to install the 925672 if it is likely to cause the problems
that others have had from trying to do so.
I have read the fix as suggested - don't fancy trying that at all :-(

Sorry this has been so long - I did try and condense it but it did not
explain what I was wanting to know.
Rgds
Antioch
It is nice to see an MS person in the groups - should happen more often.





"Peter Saddow [Microsoft]" <>
wrote in message news:6151799D-E755-4FAE-BC4D-...
> Yes, you should apply this security update. The problems that most people
> encountered when the update went live were because Windows
> Update/Microsoft
> Update was not properly seeing the patch was successful and a reboot was
> requested. The update was installed for these cases. The update has been
> fixed to properly detect when patch is successful and a reboot is
> required.
>
> Thanks,
> Peter Saddow
> Microsoft
>
> "antioch" wrote:
>
>> KB925672 was not offered to me for download on 11 Oct, along with 6 other
>> criticals/security updates.
>> The download notification for this KB has just popped up.
>> Seeing that some others have been having problems with this particular
>> update since 10 Oct, I was wondering if I need it and why it was not in
>> the
>> first offering.
>> A search shows that there are number of msxml2, 2r, 3, 3r, 4, 4r
>> already in my system.
>> Having read all the threads on this item and at MS, I am afraid I have no
>> clear idea as to what it is for other than it has some connection with
>> obtaining updates from MS.
>> Before I download any update I do like to try and comprehend what and why
>> I
>> am installing such on my computer.
>>
>> The MS update info is;
>> A vulnerability exists in MS XML Core Services that could allow for
>> information disclosure because the XMLHTTP ActiveX control incorrectly
>> interprets an HTTP server-side redirect.
>>
>> How can MS expect an average computer user to understand such
>> techno-speak.
>>
>> Perhaps they are trying to explain why their WU Home page keeps crashing
>> etc
>> every Black Tuesday.
>>
>> Should I install or not? And if so, from here I assume
>>
>> http://www.microsoft.com/downloads/r...DisplayLang=en
>>
>> And once again, a search for this KB number in MS Download Search in
>> windows
>> security & updates produces a negative response, as normal? Search in
>> the
>> Results page finds it?
>>
>> Rgds
>> Antioch
>>
>>
>>

Hi,

925672 is /not/ a patch for those who installed 924191 and failed to
reboot.

925672 is the security update for MSXML 4 (msxml4.dll and msxml4r.dll),
while 924191 is the security update for MSXML 2 and 3 (msxml2.dll,
msxml2r.dll, msxml3.dll and msxml3r.dll)

Both updates fixes the vulnerability described in Microsoft Security
Bulletin MS06-061.

(For MSXML 6, the update is named 925673)

As you have MSXML 4 installed (based on your find of msxml4.dll), you
will need to install 925672 also.


KB article references:

MS06-061: Vulnerabilities in Microsoft XML Core Services could allow
remote code execution
http://support.microsoft.com/kb/924191/

MS06-061: Security update for Microsoft XML Core Services 4.0 SP2
http://support.microsoft.com/kb/925672/

MS06-061: Security update for Microsoft XML Core Services 6.0
http://support.microsoft.com/kb/925673/

The reason for having separate updates, is that MSXML 4 and MSXML 6 is
an optional component (they are not included in a clean OS
installation), while MSXML 2 and 3 comes included in the OS.

Note that the Revision 2.0 reference in KB924191 is not a revision to
the update, but to the text in the KB article only.

And by the way, the date in the download links (stating "Published:
10/6/2006") is wrong, they were published 10/10/2006 (at the same time
as the Security Bulletin MS06-061 was released).


antioch wrote:

> Hello Peter
> Thank you for your reply.
> I have been trying to place your reply in context with
>
> http://www.microsoft.com/downloads/d...displaylang=en
>
> Refers to MS06-061 - Download
> Version 1
> Date published shows 10.6.2006 - 6 Oct or 10 June?
> Refers to 2 articles, 925672 & 924191.
>
> On that page selecting MS06-061 links to an item about KB924191 - Updated
> Oct 11 2006 Version 1.1
>
> On that same page selecting KB925672 links to an article re that number.
> Mentions:-
> Revision 1.0
> Last Review Oct 10
> The para headed 'Known Issues with etc etc' - alas means nothing to me
> whatsoever.
>
> On that same page selecting KB924191 links to an article re this KB number.
> Mentions:-
> Last Review Oct 11
> Revision 2.0
> Selecting the link to Home Users brings up the Oct security updates MS
> numbers, which of course includes 061.
> Published Oct 10
>
> NB - how can Revision 1 of KB925672 equate to Revision 2 of KB924191 when
> 925672 came after 924191?
>
> Going here
>
> http://www.microsoft.com/downloads/d...displaylang=en
>
> Gives the download I used for 924191.
> Updated Oct 11
> Version 1.1
>
> I can make no sense from the above at all.
>
> Re your reply, I asked if I need this 925672 and why? when 924191 is
> installed without problem.
> You say "The problems that most people.....when the update {what update?
> 924191 or 925672).........was not seeing the patch{what patch?}was
> successful and a reboot was requested".
>
> I save to disk, install and reboot on every update.
>
> You go on to say "The update was installed {do you mean offered for
> install}for these cases{which as far as I can see have not effected me -
> unless of course you mean the problems with 925672}. The update has been
> fixed to properly detect when patch{what patch?} is successful and a reboot
> is required"
>
> Unless I have understood this matter the wrong way, it appears that 925672
> was a fix/patch for those who installed 924191 and failed to reboot because
> the update forgot to tell them to do so, and as a result what was installed
> was now a 'bug in the works'
> and has caused or left something that has needed to be corrected.
>
> I have no desire to install the 925672 if it is likely to cause the problems
> that others have had from trying to do so.
> I have read the fix as suggested - don't fancy trying that at all :-(
>
> Sorry this has been so long - I did try and condense it but it did not
> explain what I was wanting to know.
> Rgds
> Antioch
> It is nice to see an MS person in the groups - should happen more often.
>
>
>
>
>
> "Peter Saddow [Microsoft]" <>
> wrote in message news:6151799D-E755-4FAE-BC4D-...
>
>>Yes, you should apply this security update. The problems that most people
>>encountered when the update went live were because Windows
>>Update/Microsoft
>>Update was not properly seeing the patch was successful and a reboot was
>>requested. The update was installed for these cases. The update has been
>>fixed to properly detect when patch is successful and a reboot is
>>required.
>>
>>Thanks,
>>Peter Saddow
>>Microsoft
>>
>>"antioch" wrote:
>>
>>
>>>KB925672 was not offered to me for download on 11 Oct, along with 6 other
>>>criticals/security updates.
>>>The download notification for this KB has just popped up.
>>>Seeing that some others have been having problems with this particular
>>>update since 10 Oct, I was wondering if I need it and why it was not in
>>>the
>>>first offering.
>>>A search shows that there are number of msxml2, 2r, 3, 3r, 4, 4r
>>>already in my system.
>>>Having read all the threads on this item and at MS, I am afraid I have no
>>>clear idea as to what it is for other than it has some connection with
>>>obtaining updates from MS.
>>>Before I download any update I do like to try and comprehend what and why
>>>I
>>>am installing such on my computer.
>>>
>>>The MS update info is;
>>>A vulnerability exists in MS XML Core Services that could allow for
>>>information disclosure because the XMLHTTP ActiveX control incorrectly
>>>interprets an HTTP server-side redirect.
>>>
>>>How can MS expect an average computer user to understand such
>>>techno-speak.
>>>
>>>Perhaps they are trying to explain why their WU Home page keeps crashing
>>>etc
>>>every Black Tuesday.
>>>
>>>Should I install or not? And if so, from here I assume
>>>
>>>http://www.microsoft.com/downloads/r...DisplayLang=en
>>>
>>>And once again, a search for this KB number in MS Download Search in
>>>windows
>>>security & updates produces a negative response, as normal? Search in
>>>the
>>>Results page finds it?
>>>
>>>Rgds
>>>Antioch
>>>
>>>
>>>
>
>
>


--
torgeir, Microsoft MVP Software Distribution, Porsgrunn Norway

Reply bottom posted

"Torgeir Bakken (MVP)" <Torgeir.Bakken-> wrote in message
news:%...
> Hi,
>
> 925672 is /not/ a patch for those who installed 924191 and failed to
> reboot.
>
> 925672 is the security update for MSXML 4 (msxml4.dll and msxml4r.dll),
> while 924191 is the security update for MSXML 2 and 3 (msxml2.dll,
> msxml2r.dll, msxml3.dll and msxml3r.dll)
>
> Both updates fixes the vulnerability described in Microsoft Security
> Bulletin MS06-061.
>
> (For MSXML 6, the update is named 925673)
>
> As you have MSXML 4 installed (based on your find of msxml4.dll), you
> will need to install 925672 also.

> KB article references:
>
> MS06-061: Vulnerabilities in Microsoft XML Core Services could allow
> remote code execution
> http://support.microsoft.com/kb/924191/
>
> MS06-061: Security update for Microsoft XML Core Services 4.0 SP2
> http://support.microsoft.com/kb/925672/
>
> MS06-061: Security update for Microsoft XML Core Services 6.0
> http://support.microsoft.com/kb/925673/
>
> The reason for having separate updates, is that MSXML 4 and MSXML 6 is
> an optional component (they are not included in a clean OS
> installation), while MSXML 2 and 3 comes included in the OS.
>
> Note that the Revision 2.0 reference in KB924191 is not a revision to
> the update, but to the text in the KB article only.
>
> And by the way, the date in the download links (stating "Published:
> 10/6/2006") is wrong, they were published 10/10/2006 (at the same time
> as the Security Bulletin MS06-061 was released).

> --
> torgeir, Microsoft MVP Software Distribution, Porsgrunn Norway


Hallo Torgeir
Thank you so much for your very clear explanation of the question I was
posing.
It is a relief to see that you understood my confusion over these two
updates.
I shall download and install KB925672, but not from WU Home as I think this
is where others, who have been unsuccessful, found there problems.
Are you getting as many update problems in Norway? as we are here.
If it is quieter in the Norwegian group, perhaps you could pop back here on
the next Black Tuesday :-)
Take care
Rgds
Antioch