[ISN] Microsoft fixes XP SP2 patching flaw

From: InfoSec News (isn@private)
Date: Fri Aug 20 2004 - 01:26:52 PDT


http://www.nwfusion.com/news/2004/0819mspatch.html

By John Fontana
Network World Fusion
08/19/04

Microsoft Thursday released a fix for the Windows XP Service Pack 2 
installation package it provided to corporate users of its free patch 
deployment server to correct a flaw that would not allow IT to 
stealthy install the service pack without end-user intervention. 

The problem affected those using Microsoft's Software Update Services 
(SUS), a free Windows server add-on that runs behind the corporate 
firewall. SUS allows companies to create a centralized internal 
staging area and schedule the distribution of patches after they are 
tested and approved instead of downloading patches from Microsoft 
directly to desktops. 

Microsoft informed users that the deployment of XP SP2 through SUS 
would be "silent" and not require any end-user intervention, but that 
turned out not to be the case to the surprise and dismay of users. 

"Client computers did not silently install the service pack at the 
scheduled time," says Brian Doré, an administrator in the office of 
information systems at the University of Louisiana at Lafayette. 
"Instead they wait for a user login and prompt to start the SP2 Wizard 
and [end user license agreement]. Users can also cancel the install at 
this point.  Obviously it was a major problem." 

Doré says the university typically silently installs service packs in 
the wee hours of the morning.

"Users that arrived at work the next morning were greeted with the SP2 
Wizard when they logged on and were given the choice to cancel or 
install. Those that canceled were not patched.  Those that accepted 
the install could not use their computers for up to 30 minutes while 
the patch installed." 

So instead of having his desktops updated, Doré was left with a 
hodge-podge of patched and unpatched clients and forced to temporarily 
block his SUS server from distributing SP2. 

The fix was made available Thursday and SUS users will automatically 
get a small update file when they synchronize SUS servers with the 
Microsoft Windows Update service that provides patches, according to 
Microsoft officials. Users also can execute a manual download to get 
the file. The synchronization will not download the entire XP SP2 
package if it has already been downloaded. 

Microsoft officials said the problem was with the "install parameters" 
of the XP SP2 package made available to SUS users and not with XP SP2 
itself. The fix is contained in a 1M-byte file called aurtf.cab, which 
contains the metadata to update the XP SP2 install package for SUS. 

SUS works in conjunction with a client side mechanism called Automatic 
Updates, which grabs the patches from the SUS server and installs them 
on the desktop. Last week, Microsoft issued a set of tweaks for 
Automatic Updates that block it for the next 120 days from 
automatically downloading XP SP2 directly from Microsoft's Windows 
Update service. Users had asked for more time to test the patch before 
Automatic Updates kicked off on Monday. 

Microsoft is expected soon to post information on the SUS issue on its 
SUS Web site [1].

[1] http://www.microsoft.com/windowsserversystem/sus/default.mspx



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Fri Aug 20 2004 - 03:20:35 PDT