Windows

It's Windows Patch Tuesday: May 2009

Justin James presents a rundown on the May 2009 batch of Microsoft Windows patches. He wades through the available resources and brings you the information you need to make the right decision on applying them in your organization.

Welcome to the May 2009 issue of TechRepublic's Patch Tuesday coverage. The biggest item since April is that the Vista and Windows 2008 Service Pack 2 was released to manufacturing. Don't look for it in your automatic updates yet, because it's not there. In fact, at the time of this writing, it's not available to the general public yet either (MSDN and TechNet subscribers can access it, though).

I just finished installing it on one PC this morning, and I am trying to install it on another. I can tell you that as of now, you'll need to uninstall most of your language packs first. And many Vista machines seem to require that language packs be uninstalled one at a time... and each one takes 20 minutes. No idea what's wrong with those language packs (they also seem to interfere with the Add/Remove Windows Add-Ons system), but Microsoft really needs to correct that situation.

As another Microsoft Windows Vista SP2 heads up, it seems to have reset my default sound devices to the most recently installed items, so my soundcard was no longer putting out sound in favor of my phone headset.

Previous TechRepublic Microsoft Windows Blog posts in the Patch Tuesday series are available on the Special Reports search page.

Security patches

MS09-017/KB967340 -- Critical (PowerPoint 2000) / Important (PowerPoint XP, Office 2003, Office 2007, Office 2004 and 2008 for Mac, Open XML File Converter for Mac, PowerPoint View 2003, PowerPoint Viewer 2007, Office Compatibility Pack 2007, Works 8.5, Works 9.0): There are a number of security bugs in PowerPoint (some privately disclosed, some publicly disclosed) that allow a specially modified PowerPoint file to take over your computer. This patch resolves the problems. It is critical for PowerPoint 2000 users and only important for all other users.

The patch changes the way PowerPoint handles memory when opening files, and it blocks the opening of PowerPoint 4.0 files. You should apply this patch immediately, since it is sure that attackers will be trying to exploit it with PowerPoint files supposedly containing images of serene scenes with words of wisdom and a calming soundtrack, advising you to appreciate the small things in life.

Other updates

There are no major nonsecurity updates this month.

"The Usual Suspects": Updates to the Malicious Software Removal Tool, ActiveX Killbits (released on April 28th), and Junk Email filters.

Changed, but not significantly:

Updates since the last Patch Tuesday

There have been a number of minor items since the last Patch Tuesday:

  • KB969497 -- Updated compatibility view list for IE8
  • KB944036 -- IE8 for XP with Language Interface Pack
  • KB947821 -- System Update Readiness Tool
  • KB953338 -- Windows SharePoint Services 3.0 SP2
  • KB955430 -- Required update for additional updates to Vista and 2008 to work and a prerequisite from here on out
  • KB961503 -- Double-byte character string fix for XP, which affects Windows Live Messenger 14

Changed, but not significantly:

  • IE8 for Vista and 2008 (added new language packs)
  • MS09-012/KB952004 -- Security Update for Windows 2000 (minor changes to the Norwegian version)
  • KB110806 -- .Net Framework 2.0 SP1
  • KB929300 -- .Net Framework 3.0 SP1 (changed priority from "Recommended" to "Important" for Japanese version)
  • KB936330 -- Vista SP1 (service pack blocker tool is now expired)

In addition, the following items have all been marked as available for Vista SP2 and 2008 SP2:

Stay on top of the latest XP tips and tricks with TechRepublic's Windows XP newsletter, delivered every Thursday. Automatically sign up today!

About

Justin James is the Lead Architect for Conigent.

16 comments
nicholas.rose
nicholas.rose

One of these patches breaks the slide scanning software PhotoImpression6 from Arcsoft running under XP. Could not find any documented evidence of this problem on Google. I had to perform a drive image restore and switch Automatic Updates to manual before regaining functionality. I am now taking restore points and loading one patch at a time to identify the offending patch. When I find it I will let you know.

rmbreed
rmbreed

I am not an IT professional. My apologies for taking up your time with a personal problem. Windows Update keeps bugging me to install XP SP3. When I read about it, nothing seemed to be important to a personal computer. I have read of problems with XP SP3, and the install program warns to set a recover point, which scares me even more. Is there any reason I need to install it on a personal computer? Thank you.

allenmorehead
allenmorehead

My express patch listing now contains IE8. There is no check box to clear to prevent it from downloading. How do I avoid IE8?

arnoldmuscat
arnoldmuscat

Hi ALL I have xp pro and office pro. Since I installed BCM for Outlook and Net framework.....and I have installed SP2. This changed the clviewer.exe I can't access my offline F1 help for any of the suite. Googled and found no answers but similar problem experienced by other. MESSAGE: Setup Controller experienced problem during install...-OK- next message MS office help viewer not topics. This is the CLVIEW.EXE file, tried to copy and paste an old one no luck. Tried repair

Photogenic Memory
Photogenic Memory

I wonder what was the reason behind them and just how powerful was the exploit?

SES21
SES21

Why isn't it called "Microsoft Patch Tuesday" instead?

Mark W. Kaelin
Mark W. Kaelin

Did you (or are you) have trouble with this month's patch? What steps are you taking to prepare for Windows Vista SP2?

dl
dl

You would be extremely prudent to install Service Pack 3 for Windows XP. It fixes a slew of bugs and other defects. In addition, it is required for a number of applications and utilities -- otherwise they won't work or install. It is 312 MB and you are best off if you download it from: http://www.microsoft.com/downloads/details.aspx?FamilyId=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en It will probably take about an hour to download. The Knowledge Base article enables you to see how long it will take depending on your type of internet connection. The Knowledge Base article will try to steer you to Microsoft Update, but installing it manually is more foolproof. Just save the file to a directory and then when you're ready to install it do the following: (1) Disconnect from the Internet (disable your internet connection) (2) Turn off your anti-virus or Internet Security program (3) Turn off other programs that are running (4) In your file manager (most likely Windows Explorer), find the SP3 file and double click to launch it (5) Immediately close Windows Explorer Let the SP3 install. It will take about 15-30 minutes. Reboot after it installs. That should do the trick.

tnkback
tnkback

Go to Microsoft website for updates. After your computer is checked for install software the available updates will be made available. "INSURE YOU CHECK CUSTOM INSTALL". Click on IE8 and HIDE IT. It will not AUTO downloaded or install. IE8 will eventually be fixed and trustworthy. Personally I use Firefox. It is very dependable.

Justin James
Justin James

In reality, there was only one exploit this month: the PowerPoint exploit. It had a huge number of patches because so many versions of PowerPoint were affected. Outside of that, much of the list here is Microsoft adjusting patch metadata to apply to Vista SP2 and WS2008 SP2, and other minor metadata items to existing patches. J.Ja

interested_amateur
interested_amateur

I got the open source patch for Mandriva 2009 on Tuesday, also. It said these language patches were regarding security and I trust the open source patches a lot more than MS.'s patches. Nothing has broken in the last two days so I guess my intuition is right. Trust open source a lot more than MS. BTW, I wait at least two weeks reading TR before I consider MS.'s patches. I let you suckers who believe everything MS. throws at you to beta-test these patches first. Does IE 8 come to mind? Interested Amateur

Mark W. Kaelin
Mark W. Kaelin

I guess would should make the title more inclusive shouldn't we. Next month it will be Microsoft Patch Tuesday or something along those lines.

mhmartin
mhmartin

Yes, I've tried several times and it will not install. Also tried IE8 last week, keeps crashing

rmbreed
rmbreed

I really appreciate the info.

Justin James
Justin James

You are right, great idea. Originally, we focused only on the Windows patches, but in the last few months we expanded our coverage to more products. J.Ja

dl
dl

When you attempted to install the PowerPoint patch did you get a message that says the installation failed and may be due to a corrupted installation database error? If so, here are the step by step directions to work around the problem. I didn't invent these. I read about this solution online, and refined it. It has worked for me on 3 computers when I had this problem installing Office 2007 SP2 and the May 12, 2009 PowerPoint update. Step-by-Step: You're going to have to do some simple editing in your registry to overcome this problem. Before going into the registry you would be very prudent to establish a new System Restore point from the Control Panel (Performance and Maintenance) as a safety valve. Using the "Run" command from the Windows Start button, type in "regedit" (without the quote marks -- I'm using this convention throughout). Then in the Registry Editor click on File | Export... and export your Registry to your desktop just as another safety valve. Now in the left hand window of the Registry Editor go to HKEY_CLASSES_ROOT Click on the plus sign to the right of HKEY_CLASSES_ROOT to expand the listings underneath. Meander past all those keys that start with a period way down to the "Installer" key and expand it too. Underneath it you'll find "Products". Expand it. You're going to find a slew of keys with long names like 00002105501100000000000000F01FEC. The first 16 or so are for various components of Microsoft Office 2007 (if your computer is like our computers, these will all start with 0000210. You can see what product each is for by clicking on the lengthy name in the left hand window and looking at the ProductName in the right hand window. The data column tells you which product this is for. If it's anything to do with Office 2007, expand the key on the left window and select the key "Patches". Hit Function Key 2 or right click and select "Rename". Simply change the name to "Patches_old". Do this for all of the Office 2007 keys (like I wrote, there are about 16 of them, depending on your installation). The entries to change include those for Microsoft Office Shared Setup Metadata MUI (English) 2007; Microsoft Software Update for Web Folders (English) 2007; Microsoft Office Excel MUI (English) 2007; etc. -- everything involved in Office 2007. When done renaming keys you can install Office Service Pack 2 opening your file manager (most likely the dreadful Windows Explorer) and double clicking on the name of the file you downloaded. Before installing, be sure to disconnect from the Internet and turn off your Internet Security/Anti-virus application and other running applications -- these can, and will, interfere with installation of the Service Pack. After the install works (be patient, it takes some time), be sure to reboot.

Editor's Picks