MS09-010 960477 KB923561 FAILED on all Servers.

Discussion in 'Windows Update' started by JustJeff, Apr 16, 2009.

  1. JustJeff

    JustJeff Guest

    Trying to install on Windows 2003 Servers SP2 up to date patches. All new
    patches install except above. Work around appears to be

    This tries to modify C:\Program Files\Windows NT\Accessories\mswrd8.wpc.
    This file is set to read/execute only for the "everyone" group. Because of
    this, it causes the patch to fail installation. I have tested and confirmed
    that changing the permissions for the file to read/write will allow the patch
    to apply. I then changed it back to read/execute.

    Since this will require a lot of administrative effort, I wrote a quick
    script to change the permissions on this file to RW, and then another to
    change it back to read/execute.

    However - Why should I need to do this? Should it not just install?
     
    JustJeff, Apr 16, 2009
    #1
    1. Advertisements

  2. PA Bear [MS MVP], Apr 16, 2009
    #2
    1. Advertisements

  3. JustJeff

    JustJeff Guest

    Yes - but how does one get around the issue? This is happeneing on a
    significant number of servers. MS email support is a joke.

     
    JustJeff, Apr 16, 2009
    #3
  4. [Jeff, if I knew why you were experiencing these failures and how you could
    "get around" them, I'd tell you. Let's let some others reply to your
    thread.]
     
    PA Bear [MS MVP], Apr 16, 2009
    #4
  5. do you have some sort of hardening template installed? I don't have
    "read/execute for the Everyone group" on mine?
     
    Susan Bradley, Apr 17, 2009
    #5
  6. Warning Undo this workaround before installing this security update.

    In order to apply the access list, run the following commands from the
    command prompt. Note that some of these may result in an error message,
    this is expected.

    echo y| cacls "%ProgramFiles%\Windows NT\Accessories\mswrd6.wpc" /E /P
    everyone:N
    echo y| cacls "%ProgramFiles%\Common Files\Microsoft
    Shared\TextConv\mswrd632.wpc" /E /P everyone:N

    echo y| cacls "%ProgramFiles%\Common Files\Microsoft
    Shared\TextConv\mswrd632.cnv" /E /P everyone:N
    echo y| cacls "%ProgramFiles(x86)%\Common Files\Microsoft
    Shared\TextConv\mswrd632.wpc" /E /P everyone:N
    echo y| cacls "%ProgramFiles(x86)%\Common Files\Microsoft
    Shared\TextConv\mswrd632.cnv" /E /P everyone:N
    echo y| cacls "%ProgramFiles%\Windows NT\Accessories\mswrd664.wpc" /E /P
    everyone:N
    echo y| cacls "%ProgramFiles(x86)%\Windows NT\Accessories\mswrd6.wpc" /E
    /P everyone:N

    Impact of workaround. Upon implementing the workaround, the user will no
    longer be able to convert Word 6 documents to WordPad RTF or Word 2003
    documents. Microsoft Office Word will return an error saying, "The file
    appears to be corrupted."

    How to undo the workaround.

    echo y| cacls "%ProgramFiles%\Windows NT\Accessories\mswrd6.wpc" /E /R
    everyone
    echo y| cacls "%ProgramFiles%\Common Files\Microsoft
    Shared\TextConv\mswrd632.wpc" /E /R everyone
    echo y| cacls "%ProgramFiles%\Common Files\Microsoft
    Shared\TextConv\mswrd632.cnv" /E /R everyone

    echo y| cacls "%ProgramFiles(x86)%\Common Files\Microsoft
    Shared\TextConv\mswrd632.wpc" /E /R everyone
    echo y| cacls "%ProgramFiles(x86)%\Common Files\Microsoft
    Shared\TextConv\mswrd632.cnv" /E /R everyone

    echo y| cacls "%ProgramFiles%\Windows NT\Accessories\mswrd664.wpc" /E /R
    everyone
    echo y| cacls "%ProgramFiles(x86)%\Windows NT\Accessories\mswrd6.wpc" /E
    /R everyone



    You did the mitigtion, you have to undo it first.
     
    Susan Bradley, Apr 17, 2009
    #6
  7. Disable the Word 6 converter by restricting access

    An administrator can apply an access control list to affected converters
    to ensure that the converter is no longer loaded by WordPad and Office.
    This effectively prevents exploitation of the issue using this attack
    vector.

    Warning Undo this workaround before installing this security update.
     
    Susan Bradley, Apr 17, 2009
    #7
  8. Hello Jeff,

    I have not been following the whole thread, and only see the past 3 posts.
    But I must say, I've actually have not seen any problems with this update,
    or others. I don't see why you have to alter any permissions for any updates
    to be installed onany server unless basic out of the box configuration has
    been altered or a security template has been applied.

    Have you made any configuration changes to your DCs and servers, such as C:
    drive permission changes, disabled services (such as the required DHCP
    Client service), or anything like that based on company SOP? Are you only
    using your internal DNS servers for all machines' IP properties?


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer


    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [Microsoft Certified Trainer], Apr 17, 2009
    #8

  9. To add, after looking into it deeper, and I don't know if this was discussed
    in this thread, but it appears the following article indicates the
    installation may fail if 960906 was installed prior to this installation.
    MS09-010: Description of the update for Windows WordPad Converter: April 14,
    2009
    http://support.microsoft.com/?id=923561

    And this is 960906, that indicates it changes permissions on that file:
    Microsoft Security Advisory: Vulnerability in Wordpad Convertor could allow
    remote code execution
    http://support.microsoft.com/?id=960906

    I assumed if you have numerous servers, that you read the bulletins and
    articles prior to installation?

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 17, 2009
    #9
  10. That's because the newsservers are still horked and have been for the past
    month or so.

    Here's the entire thread as archived in Google Groups:
    http://groups.google.com/group/micr..._frm/thread/6da270a647dd3f35/3a3fab655525f3da

    Right now, it's showing eight (8) posts, including your two (2). Expand the
    quote in the first post (mine) to see Jeff's first post.
     
    PA Bear [MS MVP], Apr 18, 2009
    #10

  11. Thanks, PA Bear.

    I reviewed the posts and it looks like Susan provided a script to take care
    of it. I also agree with her question if a security template may have been
    possibly applied to the machines causing this. Other than that, I can't
    think of anything else that could be causing it. I myself, have not seen
    this issue on any of my servers or my customers' servers.

    btw - OT, curious about your name. Where are you located? Wilkes Barre or
    there abouts? I'm near Philly.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Apr 18, 2009
    #11
  12. I'd guess the mitigation had already been undone on these servers, since
    Everyone had RX permission. Probably someone made a mistake either when
    applying the mitigation or removing it and accidentally zapped the Administrator
    permissions which should have remained unchanged.

    JustJeff: the correct permissions for the mswrd8.wpc file (and the other files
    in the same directory) are:

    BUILTIN\Users:R
    BUILTIN\Administrators:F
    NT AUTHORITY\SYSTEM:F

    Harry.
     
    Harry Johnston [MVP], Apr 21, 2009
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.