Re: MS09-010 960477 KB923561 FAILED on all Servers.

[Forwarded to Windows Server General & Security newsgroups via crosspost for
greater exposure]

See the "How to obtain help..." section of
http://support.microsoft.com/kb/960477 or
http://support.microsoft.com/kb/923561
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002

JustJeff wrote:
> Trying to install on Windows 2003 Servers SP2 up to date patches. All new
> patches install except above. Work around appears to be
>
> This tries to modify C:\Program Files\Windows NT\Accessories\mswrd8.wpc.
> This file is set to read/execute only for the "everyone" group. Because of
> this, it causes the patch to fail installation. I have tested and
> confirmed
> that changing the permissions for the file to read/write will allow the
> patch to apply. I then changed it back to read/execute.
>
> Since this will require a lot of administrative effort, I wrote a quick
> script to change the permissions on this file to RW, and then another to
> change it back to read/execute.
>
> However - Why should I need to do this? Should it not just install?

Yes - but how does one get around the issue? This is happeneing on a
significant number of servers. MS email support is a joke.

"PA Bear [MS MVP]" wrote:

> [Forwarded to Windows Server General & Security newsgroups via crosspost for
> greater exposure]
>
> See the "How to obtain help..." section of
> http://support.microsoft.com/kb/960477 or
> http://support.microsoft.com/kb/923561
> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Client - since 2002
>
> JustJeff wrote:
> > Trying to install on Windows 2003 Servers SP2 up to date patches. All new
> > patches install except above. Work around appears to be
> >
> > This tries to modify C:\Program Files\Windows NT\Accessories\mswrd8.wpc.
> > This file is set to read/execute only for the "everyone" group. Because of
> > this, it causes the patch to fail installation. I have tested and
> > confirmed
> > that changing the permissions for the file to read/write will allow the
> > patch to apply. I then changed it back to read/execute.
> >
> > Since this will require a lot of administrative effort, I wrote a quick
> > script to change the permissions on this file to RW, and then another to
> > change it back to read/execute.
> >
> > However - Why should I need to do this? Should it not just install?
>
>

[Jeff, if I knew why you were experiencing these failures and how you could
"get around" them, I'd tell you. Let's let some others reply to your
thread.]

JustJeff wrote:
> Yes - but how does one get around the issue? This is happeneing on a
> significant number of servers. MS email support is a joke.
>
> "PA Bear [MS MVP]" wrote:
>
>> [Forwarded to Windows Server General & Security newsgroups via crosspost
>> for greater exposure]
>>
>> See the "How to obtain help..." section of
>> http://support.microsoft.com/kb/960477 or
>> http://support.microsoft.com/kb/923561
>> --
>> ~Robear Dyer (PA Bear)
>> MS MVP-IE, Mail, Security, Windows Client - since 2002
>>
>> JustJeff wrote:
>>> Trying to install on Windows 2003 Servers SP2 up to date patches. All
>>> new
>>> patches install except above. Work around appears to be
>>>
>>> This tries to modify C:\Program Files\Windows NT\Accessories\mswrd8.wpc.
>>> This file is set to read/execute only for the "everyone" group. Because
>>> of
>>> this, it causes the patch to fail installation. I have tested and
>>> confirmed
>>> that changing the permissions for the file to read/write will allow the
>>> patch to apply. I then changed it back to read/execute.
>>>
>>> Since this will require a lot of administrative effort, I wrote a quick
>>> script to change the permissions on this file to RW, and then another to
>>> change it back to read/execute.
>>>
>>> However - Why should I need to do this? Should it not just install?

"JustJeff" <> wrote in message
news:EDFEF978-7A4B-4DFB-8FD5-...
> Yes - but how does one get around the issue? This is happeneing on a
> significant number of servers. MS email support is a joke.

Hello Jeff,

I have not been following the whole thread, and only see the past 3 posts.
But I must say, I've actually have not seen any problems with this update,
or others. I don't see why you have to alter any permissions for any updates
to be installed onany server unless basic out of the box configuration has
been altered or a security template has been applied.

Have you made any configuration changes to your DCs and servers, such as C:
drive permission changes, disabled services (such as the required DHCP
Client service), or anything like that based on company SOP? Are you only
using your internal DNS servers for all machines' IP properties?


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer


For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"PA Bear [MS MVP]" <> wrote in message
news:...
> [Jeff, if I knew why you were experiencing these failures and how you
> could "get around" them, I'd tell you. Let's let some others reply to
> your thread.]


To add, after looking into it deeper, and I don't know if this was discussed
in this thread, but it appears the following article indicates the
installation may fail if 960906 was installed prior to this installation.
MS09-010: Description of the update for Windows WordPad Converter: April 14,
2009
http://support.microsoft.com/?id=923561

And this is 960906, that indicates it changes permissions on that file:
Microsoft Security Advisory: Vulnerability in Wordpad Convertor could allow
remote code execution
http://support.microsoft.com/?id=960906

I assumed if you have numerous servers, that you read the bulletins and
articles prior to installation?

Ace

Ace Fekay [Microsoft Certified Trainer] wrote:
> "JustJeff" <> wrote in message
> news:EDFEF978-7A4B-4DFB-8FD5-...
>> Yes - but how does one get around the issue? This is happeneing on a
>> significant number of servers. MS email support is a joke.
>
> Hello Jeff,
>
> I have not been following the whole thread, and only see the past 3 posts.
> But I must say, I've actually have not seen any problems with this update,
> or others. I don't see why you have to alter any permissions for any
> updates
> to be installed onany server unless basic out of the box configuration has
> been altered or a security template has been applied.
>
> Have you made any configuration changes to your DCs and servers, such as
> C:
> drive permission changes, disabled services (such as the required DHCP
> Client service), or anything like that based on company SOP? Are you only
> using your internal DNS servers for all machines' IP properties?

> I have not been following the whole thread, and only see the past 3 posts.

That's because the newsservers are still horked and have been for the past
month or so.

Here's the entire thread as archived in Google Groups:
http://groups.google.com/group/micro...3fab655525f3da

Right now, it's showing eight (8) posts, including your two (2). Expand the
quote in the first post (mine) to see Jeff's first post.

"PA Bear [MS MVP]" <> wrote in message
news:On$...
>
> That's because the newsservers are still horked and have been for the past
> month or so.
>
> Here's the entire thread as archived in Google Groups:
> http://groups.google.com/group/micro...3fab655525f3da
>
> Right now, it's showing eight (8) posts, including your two (2). Expand
> the quote in the first post (mine) to see Jeff's first post.


Thanks, PA Bear.

I reviewed the posts and it looks like Susan provided a script to take care
of it. I also agree with her question if a security template may have been
possibly applied to the machines causing this. Other than that, I can't
think of anything else that could be causing it. I myself, have not seen
this issue on any of my servers or my customers' servers.

btw - OT, curious about your name. Where are you located? Wilkes Barre or
there abouts? I'm near Philly.

Ace