http://www.nwfusion.com/news/2004/0819mspatch.html By John Fontana Network World Fusion 08/19/04 Microsoft Thursday released a fix for the Windows XP Service Pack 2 installation package it provided to corporate users of its free patch deployment server to correct a flaw that would not allow IT to stealthy install the service pack without end-user intervention. The problem affected those using Microsoft's Software Update Services (SUS), a free Windows server add-on that runs behind the corporate firewall. SUS allows companies to create a centralized internal staging area and schedule the distribution of patches after they are tested and approved instead of downloading patches from Microsoft directly to desktops. Microsoft informed users that the deployment of XP SP2 through SUS would be "silent" and not require any end-user intervention, but that turned out not to be the case to the surprise and dismay of users. "Client computers did not silently install the service pack at the scheduled time," says Brian Doré, an administrator in the office of information systems at the University of Louisiana at Lafayette. "Instead they wait for a user login and prompt to start the SP2 Wizard and [end user license agreement]. Users can also cancel the install at this point. Obviously it was a major problem." Doré says the university typically silently installs service packs in the wee hours of the morning. "Users that arrived at work the next morning were greeted with the SP2 Wizard when they logged on and were given the choice to cancel or install. Those that canceled were not patched. Those that accepted the install could not use their computers for up to 30 minutes while the patch installed." So instead of having his desktops updated, Doré was left with a hodge-podge of patched and unpatched clients and forced to temporarily block his SUS server from distributing SP2. The fix was made available Thursday and SUS users will automatically get a small update file when they synchronize SUS servers with the Microsoft Windows Update service that provides patches, according to Microsoft officials. Users also can execute a manual download to get the file. The synchronization will not download the entire XP SP2 package if it has already been downloaded. Microsoft officials said the problem was with the "install parameters" of the XP SP2 package made available to SUS users and not with XP SP2 itself. The fix is contained in a 1M-byte file called aurtf.cab, which contains the metadata to update the XP SP2 install package for SUS. SUS works in conjunction with a client side mechanism called Automatic Updates, which grabs the patches from the SUS server and installs them on the desktop. Last week, Microsoft issued a set of tweaks for Automatic Updates that block it for the next 120 days from automatically downloading XP SP2 directly from Microsoft's Windows Update service. Users had asked for more time to test the patch before Automatic Updates kicked off on Monday. Microsoft is expected soon to post information on the SUS issue on its SUS Web site [1]. [1] http://www.microsoft.com/windowsserversystem/sus/default.mspx _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Fri Aug 20 2004 - 03:20:35 PDT