tommyp

Windows Updates

776 posts in this topic

Thank's for your reply, mate :)

Anyway, sorry for my bad wording maybe, but what i meant was that i believe that XML3 is default in Win2k-SP4, and hence, XML3 updates wouldn't be 'Optional' then...

On Tomcat's old list, then when you haven't selected any of the optional XML installers, then the 'HF' section still lists this update:

Windows2000-KB936021-x86-ENU.EXE S MS07-042 Vulnerability in MSXML3

And that update has now been replaced by the XML3 update on your new list i.e. 'Windows2000-KB955069-x86-ENU.EXE'.

Again, if i'm wrong, then i'm really sorry for wasting your time with my nonsence...

CU, Martin.

Edit: I found this on wikipedia's MSXML page:

Windows 2000 SP4 also ships with MSXML 3.0

http://en.wikipedia.org/wiki/MSXML

Edited by Martin H
0

Share this post


Link to post
Share on other sites

Hi Tommy :)

Sorry for keeping bothering you, but when you have the time/motivation, then could you please tell me if you disagree with what i said above?

Thanks in advance.

0

Share this post


Link to post
Share on other sites

I'll move the MSXML 3 hotfixes out of the optional and in the "upper" list. The severity rating that is presented will still be what MSFT says.

0

Share this post


Link to post
Share on other sites

Thanks alot for your reply, mate :)

Btw, it's just 1 hotfix and i've never disagreed with your severity ratings...

Thanks again, mate :)

0

Share this post


Link to post
Share on other sites

@Tommy:

When using your Win2k list, then hfnetchk/qfecheck shows no missing patches/problems, but on WU, then except the obvious ones that i didn't include, then states that i'm missing:

The first one is an error since it's for 2K-Server, but the next one seems legit to me:

When downloading and unpacking it, then it contains one updated binary: vgx.dll v5.0.3854.2500, and the inf copies/overwrites it into '%programfiles%\Common Files\Microsoft Shared\VGX\', and the old vgx.dll on the ISO is v5.0.3014.1003

Again, if i'm wrong, then i'm really sorry for the bother...

Edit: Btw, i know that KB938127 is replaced on Win2k with IE6-SP1, but not for Win2k IE5-SP4...

Edited by Martin H
0

Share this post


Link to post
Share on other sites

Thanks Martin. Your contributions are always welcomed. I'm glad that you're double checking this stuff, there are too many variations to test out. I think the active directory one you mention is way old. 926122 was superceded by 943484 which was superceded by 949014 which was superceded by 957280 (Oct 2008). I'm not sure why WU says it's needed. You do bring up a valid one with the 938127. I'll add i to the 2K/IE5 variant.

0

Share this post


Link to post
Share on other sites

Hello everybody! Happy new year to all.

I've been following this thread for some time and used HfSlip with pleasure.

In TommyP's list from January (updated 1/13/09 4:56 PM), I can still see KB951071 which I believe is obsolete. (Another forum member already noticed it in December). From my notes,

MS08-065 KB951071 replaces MS07-065 KB937894

Thanks to TommyP for his list, it really helps.

Bye!

Edited: I've just read "Another spammer" instead of "Another forum member" in my post. I certainly didn't mean spammer, and I'm quite sure I didn't write it. I fear my account is pirated.

Edited by pointertovoid
0

Share this post


Link to post
Share on other sites

KB955417 should be useful at least to French users of W2k-Xp-2k3...

You may enjoy (or regret) the explanation by Microsoft here:

http://support.microsoft.com/?scid=kb%3Ben...p;x=12&y=12

In short, if you install a W2k-Xp-2k3 in any language with the option "French-France" then you get a fixed "secret" key for your PStore, or "protected storage system". Yes, that's it: you have the very same key as the French interior minister has.

PStore is where, for instance, Outlook Express stores your secret key to access your mail account.

And many other programs do similar "secure" storages, it's there:

HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider

EFS, the file encryption by Ntfs (which should be avoided anyway for other reasons) as well stores the encryption key in PStore.

I find the explanation by Microsoft interesting to read, as

- Other countries had restrictive laws on cryptography in 1999. Did these allow a working PStore then? Or don't they allow a patch now?

- French law allowed cryptography with short keys (about 40 bits) then, if memory serves. It would have been easy to truncate the key to 40 bits instead of zero bit, to my feeling.

- And with 40 bits keys, Microsoft could have disclosed this restriction. With zero bit keys, all the user's interface gives the impression of a properly working PStore.

- French law changed in 1999 to allow 128 bits and shortly later to allow any key length without governmental approval.

W2k had an Sp1, Sp2, Sp3, Sp4, R1 and about 70 patches before KB955417 was issued in 2008.

Xp appeared 2 years after the 1999 law and had an Sp1, Sp2 and Sp3.

W2k3 appeared 4 years after 1999 and had an Sp1 and Sp2.

(As for Nt4, Microsoft doesn't issue any patch more, so it's everyone's guess whether the unique secret key impacted it or not)

- KB955417 is not published as a security bulletin, but rather as a kind of "function improvement" covered by Wga... Though, my feeling is that the unique key does impact security.

So may I express the shadow of my doubt whether Microsoft had all the necessary freedom to improve this weakness quickly?

Microsoft's proposal with KB955417 is that it recreates the account's PStores with a new, this time random, secret key, and transfers the contents of PStore. This sounds good, and gives us all reason to use KB955417 with confidence.

Another parry (can probably be combined with KB955417) to be considered would be, at least for new installations of W2k-Xp-2k3, to choose the "French-Switzerland" or "French-Canada" option (or any free country) when creating the administrator account and later any user account, and switch to "French-France" for normal use if this is of any advantage.

May I point out that, since any foreign governmental agency knows as much as the French do, such a weakness on nearly all computers in France may be fine for some French governmental agencies, but is not the country's best interest?

0

Share this post


Link to post
Share on other sites

Thanks for the clarification on that outdated hotifx. Unfortunately I will not include the french pstore issue with my list. I am trying to maintain a critical update list only, just as the_guy did.

0

Share this post


Link to post
Share on other sites

Hi TommyP and everybody!

What about MsXml2 and MsXml3:

I believe to understand from http://en.wikipedia.org/wiki/MSXML that Xml2.5 ships with W2k and comprises the file MsXml.dll (and MsXmlr.dll and MsXmla.dll, all without a number) and is replaced by Xml3 - could you confirm that no application can call Xml2.5 when Xml3 is installed? I'm not easy with Clsid.

This would be a different case from Xml3, 4, 6 which can and should coexist side-by-side.

In this case, my impression is that slipping Xml3, Xml4 and Xml6 with their latest Sp's makes W2k as up-to-date as possible, and that adding an Sp to Xml2 (as is proposed in TommyP's list) is less secure than adding Xml3. What's your opinion?

The downloadable installer for Xml2 seems to be redundant with the one brought by W2k, and less good since it's not translated.

For my own list, I don't check any more if an update is critical, as this takes me more time than noting all updates, and as Microsoft marks as uncritical some weakness that are critical to my eyes.

As for PStore: I believe KB955417 is an awful lot more critical than announced by Microsoft - but if you plan to set your Win on Dutch or Portuguese you don't have to care.

0

Share this post


Link to post
Share on other sites

It's not really my call what you want to slipstream. I can only suggest what files to put where to get a successful installation. In fact, I have other non-essential hotfixes that aren't listed in my hotfix list but are in my HF folder to take care of USB issues and driver specific issues. Anyway, if you want msxml, then just put those files where they need to go. If you don't want it, then don't put them there. If you intentionally omit a file, things may not work (as in the case with msxml).

I did a little comparison on this msxml updates.

Windows 2k SP4 ships with msxml.dll and msxmlr.dll versions 8.0.6730.0. This is updated via KB955069. This is on the upper part of the list.

Windows 2k SP4 does not ship with msxml3. However, if one installs IE6 OR the post SP4 rollup, you introduce MSXML3.dll and MSXML3R.dll to the system. The final version is in the post sp4 rollup.

Windows 2k does not ship with msxml2.dll. However, if one optionally chooses to slipstream other msxml types, they can, and this is in the optional section of the list. I extracted the files to see what was included and you will need both files in the HF directory because the XML-SP does not include all the MSXML files needed.

msxml3.msi - msxml2.dll msxml2a.dll and msxml2r.dll versions 8.30.9530.0

msxml2sp6-kb887606 - msxml2.dll version 8.30.9531.0 but does not include the required 2a and 2r files.

0

Share this post


Link to post
Share on other sites

Xml2 files from W2k don't always bear a "2", and that's confusing.

That is, the Msxml.dll v8.00.6730.0, Msxmla.dll and Msxmlr.dll that ship with W2ksp3 are Xml2.

I refer to Microsoft's list: http://support.microsoft.com/kb/269238

This is why I believe the Xml2 installer KB823490 is not needed.

Though, I didn't find in Microsoft's list KB269238 (linked above) a confirmation from Wiki's assessment, that installing Xml3 prevents applications from accessing Xml2. KB269238 says rather that MS06-61 defines a kill bit that prevents just Internet Explorer from using Xml2.6.

So I still ignore if updating Xml2 is still necessary after installing Xml3.

0

Share this post


Link to post
Share on other sites

I've just tried to install msxml2sp6-kb887606 on a working W2k sp4 r1 ie6.0sp1 Mdac2.8sp1 that already has up-to-date Xml3, Xml4 and Xml6.

It is true that msxml2sp6-kb887606 wants to have msxml2.msi added to W2k before msxml2sp6 can be installed.

Even more bizarre, both let W2k's Msxml.dll and Msxmlr.dll untouched - these are the old xml2 brought by Mdac and others.

msxml2.msi adds xml2 files called Msxml2.dll and Msxmlr2.dll (note the "2" in the name) and msxml2sp6 updates Msxml2.dll.

Now, considering that

- Xml3 is supposed to replace Xml2 and take over all calls to Xml2

- Xml2 isn't maintained any more by Microsoft (since 2004 !)

- But all these dll do have exposed entry points that a virus could - might - perhaps call

- And neither msxml2.msi nor msxml2sp6 suppresses the older dll but add more unmaintained dll,

I consider that adding msxml2.msi and msxml2sp6 brings no functionality but makes W2k weaker instead of stronger, and won't use them unless someone has other arguments in their favour.

Has somebody tried to suppress Msxml.dll and Msxmlr.dll from W2k as well? As they aren't used by honest software any more, Win would be stronger without them. Wouldn't it?

0

Share this post


Link to post
Share on other sites

pointertovoid - Please keep this thread for corrections to the WU list. If you wish to have msxml discussions, please begin a new thread. Thanks.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.