MS08-038 and KB950582

Discussion in 'Windows Update' started by Joan Delgado, Nov 20, 2008.

  1. Joan Delgado

    Joan Delgado Guest

    Hi all,

    A customer ask me something about this bulletin,

    Microsoft Security Bulletin MS08-038 – Important
    http://www.microsoft.com/technet/security/bulletin/ms08-038.mspx

    MS08-038: Vulnerability in Windows Explorer could allow remote code execution
    http://support.microsoft.com/kb/950582/en-us

    The customer uses WSUS to apply the updates and they ask me about this
    because this one only apply for Vista and W2k8, but they found this update
    for XP with the same KB. The problem is that WSUS don’t show this update for
    XP.

    For example:

    Update for Windows XP (KB950582
    http://www.microsoft.com/downloads/details.aspx?FamilyId=CC4FB38C-579B-40F7-89C4-1721D7B8DAA5

    Update for Windows Server 2003 (KB950582
    http://www.microsoft.com/downloads/details.aspx?FamilyId=705305E5-7060-4236-B5D2-40CA63A967FB

    We don’t understand why exist an update for xp, 2k3 and 2k if the bulletin
    only apply to Vista and 2k8? Or why with the same KB.

    When I try to download the update for all versions the Brief Description is
    the same, “Install this update to resolve an issue in which AutoRun features
    were not correctly disabled.â€

    Someone can help me to understand this situation?

    Thanks in advance
     
    Joan Delgado, Nov 20, 2008
    #1
    1. Advertisements

  2. PA Bear [MS MVP], Nov 20, 2008
    #2
    1. Advertisements

  3. Lawrence Garvin \(MVP\), Nov 21, 2008
    #3
  4. It looks as though the Windows XP version of the update is not considered
    important enough to be released via WSUS, but has received enough testing to be
    made available via the download center.

    As I understand it, the update corrects an issue which exists in all of these
    Windows versions. However, the issue only creates a security vulnerability on
    Vista and 2008.

    There is more information about the 2k/XP/2003 update in KB953252:

    <http://support.microsoft.com/kb/953252/>

    http://support.microsoft.com/kb/953252/

    Harry.
     
    Harry Johnston [MVP], Nov 23, 2008
    #4
  5. Joan Delgado

    Joan Delgado Guest

    Thanks Lawrence,

    i'll be happy if you explain me the reason of this strange method to public
    the kb article an bulletin.

    if you can, forward me the answer of WSUS Product Team

    Thanks in advance
     
    Joan Delgado, Nov 23, 2008
    #5
  6. Joan Delgado

    Joan Delgado Guest

    Thanks Harry,

    I think that its all for me.

    I'm waiting for answer of Lawrence too.

    Thanks
     
    Joan Delgado, Nov 23, 2008
    #6
  7. Joan Delgado

    Eddie Guest

    Why isn't this patch "important enough" to push the 2k, 2k3 and XP patches to
    WSUS so they are able to be deployed? We are required to push this out to an
    ungodly amount of computers. Can nothing else be done to add these patches?
    If not, is there a way to add it to our WSUS 3.0 server?
     
    Eddie, Nov 25, 2008
    #7
  8. I don't know what criteria Microsoft use to make these decisions. Nor do I have
    any special information about whether this patch will appear on WSUS and/or the
    Microsoft Update catalog in the future; for all I know, it will show up
    tomorrow. I wouldn't bet on it.
    May I ask why? As you've managed without it so far, at the very least I don't
    see why there should be any great urgency.
    Presumably you already use some mechanism to install things like third-party
    software updates on these computers; the same mechanism should be able to
    install this update. You could, for example, use a startup script.
    Technically this is possible, but other methods would be significantly easier.

    Harry.
     
    Harry Johnston [MVP], Nov 25, 2008
    #8
  9. Joan Delgado

    Joan Delgado Guest

    Hi Eddie,

    In WSUS automatically only shows the patches that Microsoft develop because
    there are a Security Bulletin (critical, important...) that define the
    vulnerability.

    WSUS automatically don't shows all of patches/hotfixes that Microsoft
    develops.

    In this case, the situation is rare. I attempt to explain it.

    Microsoft in July'08 published a Security Bulletin because detect a possible
    vulnerability about remote execution.
    This vulnerability was detected in Vista and W2k8. MS develop a hotfix to
    resolve this. This hotfix modify the shell of windows,
    specifically Shell32.dll. Is for this reason that the KB950582 only affect
    to Vista and W2k8.

    Later (August'08), MS write a procedure to disable by registry the AutoRun
    (KB953252) and this procedure only applies to W2k, W2k3, WXP,Wvista.
    MS found that although the procedure was implemented, the result was No OK,
    but en WVista was Ok. This situation was because they
    need to modify also in XP,2k and 2k3 the shell32.dll, the same modification
    that KB950582 made.

    In this case MS decided to publish this modification (for XP,2k..) with the
    same KB because both modified the same, but one (vista & 2k8) was for a
    critical vulnerability,
    and the other was only a prerequisit to run a procedure. Is, for this reason
    that exist KB950582 hotfix for all the systems but, WSUS only shows for Vista
    and W2k8.

    I was very confused with this decision...

    The conclusion, i think is: You must install hotfix KB950582 on Vista and
    W2k8 because exista Important Vulnerability, and on Xp, 2k and 2k3 you
    install only if you need to
    implement the KB953252. (There aren't problem if you install on all of
    sistems)

    Sorry for my english, and I hope that i have clarified your doubts.

    Joan
     
    Joan Delgado, Nov 26, 2008
    #9
  10. Joan Delgado

    Joan Delgado Guest

    Hi Eddie

    this info i think is a good info:

    There were two separate issues involved here:
    1) Autorun
    2) Windows Explorer Search - RCE

    #1 Autorun was an advisory which affected XP / WS03 / Vista and was placed
    only on the DLC because it was an advisory.
    However, the Vista package also contained #2 (Windows Explorer Search – RCE)
    and is why it was released via WU / WSUS.

    If you look under the FAQ for MS08-038, you will see it also contains the
    following:

    Does this update contain any security-related changes to functionality?
    Yes. Besides the changes that are listed in the “Vulnerability Detailsâ€
    section of this bulletin, this security update also resolves a publicly known
    issue with Autorun functionality in Windows Vista and Windows Server 2008
    systems. The update correctly disables the right-click and double-click
    behavior controlled by the NoDriveTypeAutorun registry key. This corrects the
    issue identified in CVE-2008-0951 on Windows Vista and Windows Server 2008.
    For more information on the usage of this registry key, see the TechNet
    article, NoDriveTypeAutoRun.

    Hope this helps.
     
    Joan Delgado, Dec 3, 2008
    #10
  11. Joan Delgado

    Gis Bun Guest

    If i can add by 2.5 cents worth here, KB950582 should be released for Windows
    XP and Server 2003 especially with the W32.Conflicker [?] or W32.Downadup
    malware floating around. Additionally, this is probably also needed by
    companies to comply with PCI DSS requirements.

    It's not even available in the Windows Catalog.

    Gis
     
    Gis Bun, Jan 22, 2009
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.