MS08-038 and KB950582

Hi all,

A customer ask me something about this bulletin,

Microsoft Security Bulletin MS08-038 – Important
http://www.microsoft.com/technet/security/bulletin/ms08-038.mspx

MS08-038: Vulnerability in Windows Explorer could allow remote code execution
http://support.microsoft.com/kb/950582/en-us

The customer uses WSUS to apply the updates and they ask me about this
because this one only apply for Vista and W2k8, but they found this update
for XP with the same KB. The problem is that WSUS don’t show this update for
XP.

For example:

Update for Windows XP (KB950582
http://www.microsoft.com/downloads/details.aspx?FamilyId=CC4FB38C-579B-40F7-89C4-1721D7B8DAA5

Update for Windows Server 2003 (KB950582
http://www.microsoft.com/downloads/details.aspx?FamilyId=705305E5-7060-4236-B5D2-40CA63A967FB

We don’t understand why exist an update for xp, 2k3 and 2k if the bulletin
only apply to Vista and 2k8? Or why with the same KB.

When I try to download the update for all versions the Brief Description is
the same, “Install this update to resolve an issue in which AutoRun features
were not correctly disabled.â€

Someone can help me to understand this situation?

Thanks in advance

 

[Right pew, wrong church. Forwarded to WSUS newsgroup
(microsoft.public.windows.server.update_services) via crosspost as a
convenience to OP.

On the web:
http://www.microsoft.com/communitie...crosoft.public.windows.server.update_services

In your newsreader:
news://msnews.microsoft.com/microsoft.public.windows.server.update_services
]

 

I've channeled this question up to the WSUS Product Team for their
investigation.



--
Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

 

It looks as though the Windows XP version of the update is not considered
important enough to be released via WSUS, but has received enough testing to be
made available via the download center.

As I understand it, the update corrects an issue which exists in all of these
Windows versions. However, the issue only creates a security vulnerability on
Vista and 2008.

There is more information about the 2k/XP/2003 update in KB953252:

<http://support.microsoft.com/kb/953252/>

http://support.microsoft.com/kb/953252/

Harry.

 

Thanks Lawrence,

i'll be happy if you explain me the reason of this strange method to public
the kb article an bulletin.

if you can, forward me the answer of WSUS Product Team

Thanks in advance

 

Thanks Harry,

I think that its all for me.

I'm waiting for answer of Lawrence too.

Thanks

 

Why isn't this patch "important enough" to push the 2k, 2k3 and XP patches to
WSUS so they are able to be deployed? We are required to push this out to an
ungodly amount of computers. Can nothing else be done to add these patches?
If not, is there a way to add it to our WSUS 3.0 server?

 

I don't know what criteria Microsoft use to make these decisions. Nor do I have
any special information about whether this patch will appear on WSUS and/or the
Microsoft Update catalog in the future; for all I know, it will show up
tomorrow. I wouldn't bet on it.

May I ask why? As you've managed without it so far, at the very least I don't
see why there should be any great urgency.

Presumably you already use some mechanism to install things like third-party
software updates on these computers; the same mechanism should be able to
install this update. You could, for example, use a startup script.

Technically this is possible, but other methods would be significantly easier.

Harry.

 

Hi Eddie,

In WSUS automatically only shows the patches that Microsoft develop because
there are a Security Bulletin (critical, important...) that define the
vulnerability.

WSUS automatically don't shows all of patches/hotfixes that Microsoft
develops.

In this case, the situation is rare. I attempt to explain it.

Microsoft in July'08 published a Security Bulletin because detect a possible
vulnerability about remote execution.
This vulnerability was detected in Vista and W2k8. MS develop a hotfix to
resolve this. This hotfix modify the shell of windows,
specifically Shell32.dll. Is for this reason that the KB950582 only affect
to Vista and W2k8.

Later (August'08), MS write a procedure to disable by registry the AutoRun
(KB953252) and this procedure only applies to W2k, W2k3, WXP,Wvista.
MS found that although the procedure was implemented, the result was No OK,
but en WVista was Ok. This situation was because they
need to modify also in XP,2k and 2k3 the shell32.dll, the same modification
that KB950582 made.

In this case MS decided to publish this modification (for XP,2k..) with the
same KB because both modified the same, but one (vista & 2k8) was for a
critical vulnerability,
and the other was only a prerequisit to run a procedure. Is, for this reason
that exist KB950582 hotfix for all the systems but, WSUS only shows for Vista
and W2k8.

I was very confused with this decision...

The conclusion, i think is: You must install hotfix KB950582 on Vista and
W2k8 because exista Important Vulnerability, and on Xp, 2k and 2k3 you
install only if you need to
implement the KB953252. (There aren't problem if you install on all of
sistems)

Sorry for my english, and I hope that i have clarified your doubts.

Joan

 

Hi Eddie

this info i think is a good info:

There were two separate issues involved here:
1) Autorun
2) Windows Explorer Search - RCE

#1 Autorun was an advisory which affected XP / WS03 / Vista and was placed
only on the DLC because it was an advisory.
However, the Vista package also contained #2 (Windows Explorer Search – RCE)
and is why it was released via WU / WSUS.

If you look under the FAQ for MS08-038, you will see it also contains the
following:

Does this update contain any security-related changes to functionality?
Yes. Besides the changes that are listed in the “Vulnerability Detailsâ€
section of this bulletin, this security update also resolves a publicly known
issue with Autorun functionality in Windows Vista and Windows Server 2008
systems. The update correctly disables the right-click and double-click
behavior controlled by the NoDriveTypeAutorun registry key. This corrects the
issue identified in CVE-2008-0951 on Windows Vista and Windows Server 2008.
For more information on the usage of this registry key, see the TechNet
article, NoDriveTypeAutoRun.

Hope this helps.

 

If i can add by 2.5 cents worth here, KB950582 should be released for Windows
XP and Server 2003 especially with the W32.Conflicker [?] or W32.Downadup
malware floating around. Additionally, this is probably also needed by
companies to comply with PCI DSS requirements.

It's not even available in the Windows Catalog.

Gis