[willydejoe1234]

this is my compilation

Attached File(s)

•  HFSLIP.log.rar (1.55K)
  Number of downloads: 16

[tommyp]

Please keep this thread on topic for windows update list corrections.

It may be worthwhile to edit your hfslip.ini file to delete the NoKillBits line. Also, it maybe worthwhile for you to compare your hotfix list from what is presented on the xp hotfix page. Please start a new thread if you run into probs.

This post has been edited by tommyp: 28 December 2008 - 12:28 PM

[willydejoe1234]

I have compiled this whole process .reg and everything went perfect ... I think you should put on the page updates for XP SP3 ..... I do not know that I have HFANSWER.INI anything about killbits
so that other users know ....
any suggestions regarding my question on the Windows Installer 4.5?
thank you and sorry for the inconvenience.
I feel much painful English

This post has been edited by willydejoe1234: 28 December 2008 - 12:42 PM

[Martin H]

Hi Tommy

Thank you so much for making such a great update list, i really appreciate your efforts, mate

I think that the XML3 update 'Windows2000-KB955069-x86-ENU.EXE', shouldn't be listed as 'Optional' under it's 'Notes' section...

(If i'm wrong then i apologise).

Very minor issue, but just thought that i would report it...

Thank's again, mate

[tommyp]

Thanks Martin H. It's a yes and no situation. The entire msxml "block" is optional. If you slipstream msxml, then it's critical. If you don't slipstream msxml then you don't need it. So you're right, it's optional. However, I take the ratings from MSFT's security bulletin (MSxx-yyy).

[Martin H]

Thank's for your reply, mate

Anyway, sorry for my bad wording maybe, but what i meant was that i believe that XML3 is default in Win2k-SP4, and hence, XML3 updates wouldn't be 'Optional' then...

On Tomcat's old list, then when you haven't selected any of the optional XML installers, then the 'HF' section still lists this update:

Windows2000-KB936021-x86-ENU.EXE S MS07-042 Vulnerability in MSXML3

And that update has now been replaced by the XML3 update on your new list i.e. 'Windows2000-KB955069-x86-ENU.EXE'.

Again, if i'm wrong, then i'm really sorry for wasting your time with my nonsence...


CU, Martin.

Edit: I found this on wikipedia's MSXML page:

Windows 2000 SP4 also ships with MSXML 3.0

http://en.wikipedia.org/wiki/MSXML

This post has been edited by Martin H: 29 December 2008 - 04:41 PM

[Martin H]

Hi Tommy

Sorry for keeping bothering you, but when you have the time/motivation, then could you please tell me if you disagree with what i said above?

Thanks in advance.

[tommyp]

I'll move the MSXML 3 hotfixes out of the optional and in the "upper" list. The severity rating that is presented will still be what MSFT says.

[Martin H]

Thanks alot for your reply, mate

Btw, it's just 1 hotfix and i've never disagreed with your severity ratings...

Thanks again, mate

[Martin H]

@Tommy:

When using your Win2k list, then hfnetchk/qfecheck shows no missing patches/problems, but on WU, then except the obvious ones that i didn't include, then states that i'm missing:

• Windows2000-KB926122-x86-ENU.EXE (MS07-039)
  
• IE5.01sp4-KB938127-Windows2000sp4-x86-ENU.exe (MS07-050)

The first one is an error since it's for 2K-Server, but the next one seems legit to me:

When downloading and unpacking it, then it contains one updated binary: vgx.dll v5.0.3854.2500, and the inf copies/overwrites it into '%programfiles%\Common Files\Microsoft Shared\VGX\', and the old vgx.dll on the ISO is v5.0.3014.1003

Again, if i'm wrong, then i'm really sorry for the bother...

Edit: Btw, i know that KB938127 is replaced on Win2k with IE6-SP1, but not for Win2k IE5-SP4...

This post has been edited by Martin H: 03 January 2009 - 08:42 PM

[tommyp]

Thanks Martin. Your contributions are always welcomed. I'm glad that you're double checking this stuff, there are too many variations to test out. I think the active directory one you mention is way old. 926122 was superceded by 943484 which was superceded by 949014 which was superceded by 957280 (Oct 2008). I'm not sure why WU says it's needed. You do bring up a valid one with the 938127. I'll add i to the 2K/IE5 variant.

[Martin H]

Thanks alot, my friend

CU, Martin.

[pointertovoid]

Hello everybody! Happy new year to all.
I've been following this thread for some time and used HfSlip with pleasure.

In TommyP's list from January (updated 1/13/09 4:56 PM), I can still see KB951071 which I believe is obsolete. (Another forum member already noticed it in December). From my notes,

MS08-065 KB951071 replaces MS07-065 KB937894

Thanks to TommyP for his list, it really helps.
Bye!

Edited: I've just read "Another spammer" instead of "Another forum member" in my post. I certainly didn't mean spammer, and I'm quite sure I didn't write it. I fear my account is pirated.

This post has been edited by pointertovoid: 16 January 2009 - 06:51 PM

[pointertovoid]

KB955417 should be useful at least to French users of W2k-Xp-2k3...

You may enjoy (or regret) the explanation by Microsoft here:
http://support.microsoft.com/?scid=kb%3Ben...p;x=12&y=12

In short, if you install a W2k-Xp-2k3 in any language with the option "French-France" then you get a fixed "secret" key for your PStore, or "protected storage system". Yes, that's it: you have the very same key as the French interior minister has.

PStore is where, for instance, Outlook Express stores your secret key to access your mail account.
And many other programs do similar "secure" storages, it's there:
HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider
EFS, the file encryption by Ntfs (which should be avoided anyway for other reasons) as well stores the encryption key in PStore.

I find the explanation by Microsoft interesting to read, as
- Other countries had restrictive laws on cryptography in 1999. Did these allow a working PStore then? Or don't they allow a patch now?
- French law allowed cryptography with short keys (about 40 bits) then, if memory serves. It would have been easy to truncate the key to 40 bits instead of zero bit, to my feeling.
- And with 40 bits keys, Microsoft could have disclosed this restriction. With zero bit keys, all the user's interface gives the impression of a properly working PStore.
- French law changed in 1999 to allow 128 bits and shortly later to allow any key length without governmental approval.
W2k had an Sp1, Sp2, Sp3, Sp4, R1 and about 70 patches before KB955417 was issued in 2008.
Xp appeared 2 years after the 1999 law and had an Sp1, Sp2 and Sp3.
W2k3 appeared 4 years after 1999 and had an Sp1 and Sp2.
(As for Nt4, Microsoft doesn't issue any patch more, so it's everyone's guess whether the unique secret key impacted it or not)
- KB955417 is not published as a security bulletin, but rather as a kind of "function improvement" covered by Wga... Though, my feeling is that the unique key does impact security.
So may I express the shadow of my doubt whether Microsoft had all the necessary freedom to improve this weakness quickly?

Microsoft's proposal with KB955417 is that it recreates the account's PStores with a new, this time random, secret key, and transfers the contents of PStore. This sounds good, and gives us all reason to use KB955417 with confidence.

Another parry (can probably be combined with KB955417) to be considered would be, at least for new installations of W2k-Xp-2k3, to choose the "French-Switzerland" or "French-Canada" option (or any free country) when creating the administrator account and later any user account, and switch to "French-France" for normal use if this is of any advantage.

May I point out that, since any foreign governmental agency knows as much as the French do, such a weakness on nearly all computers in France may be fine for some French governmental agencies, but is not the country's best interest?

[tommyp]

Thanks for the clarification on that outdated hotifx. Unfortunately I will not include the french pstore issue with my list. I am trying to maintain a critical update list only, just as the_guy did.

[pointertovoid]

Hi TommyP and everybody!

What about MsXml2 and MsXml3:

I believe to understand from http://en.wikipedia.org/wiki/MSXML that Xml2.5 ships with W2k and comprises the file MsXml.dll (and MsXmlr.dll and MsXmla.dll, all without a number) and is replaced by Xml3 - could you confirm that no application can call Xml2.5 when Xml3 is installed? I'm not easy with Clsid.

This would be a different case from Xml3, 4, 6 which can and should coexist side-by-side.

In this case, my impression is that slipping Xml3, Xml4 and Xml6 with their latest Sp's makes W2k as up-to-date as possible, and that adding an Sp to Xml2 (as is proposed in TommyP's list) is less secure than adding Xml3. What's your opinion?

The downloadable installer for Xml2 seems to be redundant with the one brought by W2k, and less good since it's not translated.

For my own list, I don't check any more if an update is critical, as this takes me more time than noting all updates, and as Microsoft marks as uncritical some weakness that are critical to my eyes.

As for PStore: I believe KB955417 is an awful lot more critical than announced by Microsoft - but if you plan to set your Win on Dutch or Portuguese you don't have to care.

[tommyp]

It's not really my call what you want to slipstream. I can only suggest what files to put where to get a successful installation. In fact, I have other non-essential hotfixes that aren't listed in my hotfix list but are in my HF folder to take care of USB issues and driver specific issues. Anyway, if you want msxml, then just put those files where they need to go. If you don't want it, then don't put them there. If you intentionally omit a file, things may not work (as in the case with msxml).

I did a little comparison on this msxml updates.

Windows 2k SP4 ships with msxml.dll and msxmlr.dll versions 8.0.6730.0. This is updated via KB955069. This is on the upper part of the list.

Windows 2k SP4 does not ship with msxml3. However, if one installs IE6 OR the post SP4 rollup, you introduce MSXML3.dll and MSXML3R.dll to the system. The final version is in the post sp4 rollup.

Windows 2k does not ship with msxml2.dll. However, if one optionally chooses to slipstream other msxml types, they can, and this is in the optional section of the list. I extracted the files to see what was included and you will need both files in the HF directory because the XML-SP does not include all the MSXML files needed.
msxml3.msi - msxml2.dll msxml2a.dll and msxml2r.dll versions 8.30.9530.0
msxml2sp6-kb887606 - msxml2.dll version 8.30.9531.0 but does not include the required 2a and 2r files.

[pointertovoid]

Xml2 files from W2k don't always bear a "2", and that's confusing.

That is, the Msxml.dll v8.00.6730.0, Msxmla.dll and Msxmlr.dll that ship with W2ksp3 are Xml2.
I refer to Microsoft's list: http://support.microsoft.com/kb/269238
This is why I believe the Xml2 installer KB823490 is not needed.

Though, I didn't find in Microsoft's list KB269238 (linked above) a confirmation from Wiki's assessment, that installing Xml3 prevents applications from accessing Xml2. KB269238 says rather that MS06-61 defines a kill bit that prevents just Internet Explorer from using Xml2.6.

So I still ignore if updating Xml2 is still necessary after installing Xml3.

[pointertovoid]

I've just tried to install msxml2sp6-kb887606 on a working W2k sp4 r1 ie6.0sp1 Mdac2.8sp1 that already has up-to-date Xml3, Xml4 and Xml6.

It is true that msxml2sp6-kb887606 wants to have msxml2.msi added to W2k before msxml2sp6 can be installed.

Even more bizarre, both let W2k's Msxml.dll and Msxmlr.dll untouched - these are the old xml2 brought by Mdac and others.

msxml2.msi adds xml2 files called Msxml2.dll and Msxmlr2.dll (note the "2" in the name) and msxml2sp6 updates Msxml2.dll.

Now, considering that
- Xml3 is supposed to replace Xml2 and take over all calls to Xml2
- Xml2 isn't maintained any more by Microsoft (since 2004 !)
- But all these dll do have exposed entry points that a virus could - might - perhaps call
- And neither msxml2.msi nor msxml2sp6 suppresses the older dll but add more unmaintained dll,

I consider that adding msxml2.msi and msxml2sp6 brings no functionality but makes W2k weaker instead of stronger, and won't use them unless someone has other arguments in their favour.

Has somebody tried to suppress Msxml.dll and Msxmlr.dll from W2k as well? As they aren't used by honest software any more, Win would be stronger without them. Wouldn't it?

[tommyp]

pointertovoid - Please keep this thread for corrections to the WU list. If you wish to have msxml discussions, please begin a new thread. Thanks.