Windows

It's Windows Patch Tuesday: September 2008

Justin James presents a rundown on the latest batch of Windows patches. He wades through the available resources and brings you the information you need to make the right decision on applying them in your organization.

First off, I would like to welcome you to a new TechRepublic feature, Windows Patch Tuesday. Each month, we will be going through the latest batch of Windows patches as soon as the information is finalized and summarize it for you. We wade through the pages and pages of Knowledge Base articles and other resources and bring you the information that you need to make decisions on these patches. Please let us know in the forum what you think!

Here is the Patch Tuesday roundup for September 9, 2008.

Security patches

MS08-052/KB954593 - Critical: This patch addresses an issue in GDI+ (the graphics subsystem) where malformed images could be used to create a stack overflow, which in turn would let an attacker get control of the system. It is aimed at all versions of Windows and should definitely be installed. There are also a number of patches not just for Windows, but for non-Windows products such as the .Net Framework (1.0 - 2.0) and Visual Studio to correct the same vulnerability. These additional patches are listed in the KB article.

MS08-053/KB954156 - Critical: This patch fixes a security problem in Windows Media Encoder 9, for all versions of Windows. The bug allows attackers to use a Web page to gain full control of the system. The rays of sunshine here are that the bug was not reported yet, and that the user would need to be running as an administrator for the exploit to work. You will want to get this patch installed immediately to protect your users before exploits hit the Web.

MS08-054/KB954154 - Critical: This patch addresses another Windows Media problem, this time with Windows Media Player 11. Like the previous patch, users running with administrator rights can be victimized by a specially targeted media file (in this case, audio files), which can hijack the system. Install this one ASAP too.

Other patches

KB947821: This is an update to the Vista and Windows Server 2008 System Readiness Tool. The System Readiness Tool checks a system out to make sure that there are no inconsistencies in the registry, file system, etc. that would cause updates to fail. Ironically, this patch fixes some issues that it was having, where on occasion it would hang or not work right and prevent updates from installing. It's not critical, and you probably won't need it unless you have been having problems.

KB954366: An unfortunate aspect of running Vista is compatibility problems. Microsoft periodically releases Application Security Updates, and this is the August 2008 edition. If you have been having software, hardware, driver, etc. compatibility problems, you will want to install this update. It is a cumulative update, too, so don't worry if you have missed previous versions. This one includes updates for SQL Server 2005 and .Net Framework 3.5, and more.

KB955302: This is one of those generic "reliability and performance updates" that Microsoft likes to release; it is aimed at Vista and Windows 2008. Big items?

  • Improvements to reliability on systems using ReadyBoost
  • Fixes to WiFi NICs having performance problems after switching networks after coming out of hibernation (that's a pretty specific problem!)
  • Some data loss issues caused by Disk Cleanup (losing data is one way to do a "disk cleanup" I suppose)
  • Stability improvements for systems using Nvidia video cards (I can stop blaming Nvidia for those now)

You'll probably want to install this one.

KB956697: Apparently, Hyper-V has been having problems with its Volume Shadow Copy hooks, which are keeping it from backing up VMs properly on systems running Windows Server 2008 x64. This patch fixes that. If you are using x64 Windows Server 2008 and Hyper-V, install this one pronto! Otherwise, don't sweat it.

KB900325: This is a big rollup patch for Media Center 2005. It also adds a number of additional fixes, all of which are minor. If you are running Media Center 2005 and haven't patched it in a while, you will want to install this; otherwise it is not a "right now" item.

KB951618: This addresses a problem with Onekey Recovery 5.0 causing black screens on XP SP2 and Vista after installing SP1. If you aren't using Onekey Recovery, you don't need this patch.

"The Usual Suspects": Of course, there is the usual set of Windows Defender updates, Outlook and Exchange Junk Mail signature updates, and so on.

About

Justin James is the Lead Architect for Conigent.

57 comments
turquoise_85941
turquoise_85941

As with all your articles, informative, timely, and well worth noting to PC users at all levels.

quintasTiberius
quintasTiberius

Listing the patches with plain english explanations is certainly a huge assist to IT administrators who don't have time to click on each patch and wade through the Microsoft gibberish. What would be perfect is if you follow up the list with reported issues caused by specific updates. This might help us to avoid problems before we patch.

rick.fitch
rick.fitch

This is a great new feature. Many thanks. But what about the XP SP3 update? Is it stable? Is it worth installing? I've been holding off because I am a little short on diskspace and need to do some cleanup and I haven't heard anything definitive about it (except for the nagging alerts that say I definately need it)

Justin James
Justin James

SP3 is outside of the scope of this monthly feature, since it was already released when this was written. I've heard some good things about SP3, I've heard some bad things about it. I personally have no experience with it, so I cannot say for certain. I would definitely suggest that you bring this up in our forums, and get some feedback from others. The grain of salt, here, is that for everyone person that had a bad experience, each one will say so, but you will only hear from one in ten people who had a good experience, it's just the nature of things. :) J.Ja

kenbarrett
kenbarrett

I tried to install SP3 three times, but keep getting a dialog window stating 'Access Denied ...'. Anyone else getting this? I have no unusual things installed.

gbhall
gbhall

Internet connectivity fails when using black hole routers, which drop packets (see Susan Bradley's May 1 column in our paid content and Microsoft's Knowledge Base article 314825). ? False positives are generated by Norton Internet Security and other security applications (see my May 2 Top Story). ? Device Manager settings go missing, especially in connection with using Norton Antivirus (see Susan Bradley's column in the May 29 newsletter as well as KB 953791). ? Repeated rebooting occurs on machines using an AMD processor (see Susan Bradley's May 22 column and KB 953356). ? You can't install any new updates (see KB 943144). ? Third-party visual styles encounter problems (see the Support Alert Newsletter of June 19). These problems (at least) are down to SP3. (I am quoting from Windows secrets - see my link a coule of posts above this one). 96% of users seems to have no problems, but if you do, there are ways of avoiding them if you take certain pre-emptive precations). I can tell you that all of the SP2 old stuff, and about 85% of post-SP2 critical updates are automatically removed by Sp3 - from c:\windows\$NTuninstall...blah blah, and you end up saving a reasonable amount of space, but unfortunately, before your PC gets this space released, it needs 64Mb at least for the SP3 install, and it can be much more. You could clean these areas yourself before-hand, but I cannot predict any bad consequences - at the least you would not be able to unistall some of the critical patches which still seem to have hung around post-sp3. As usual, the approach taken by MS is that everybody is able to absorb at least 500Mb of wasted space without any problems, which has always annoyed the hell out of me.

john3347
john3347

I am in the "top" 4% if it is accurate that 96% of SP3 users have no problems. I have had problems on all three SP3 applications that I have attempted - serious problems. Will not boot after installation, various applications will not work after installation, etc., etc. Two computers required format and reinstallation of Windows to return to service. I have learned, through experimentation, that the installation of SP3 on a fresh Windows install goes smoothly and presents no obvious problems. All my applications install without problems if SP3 is installed prior to the application installation.

lewruss
lewruss

How can I be notified on this on later patches? Do you have something I can subscribe to? This is very valuable information. Lew

Mark W. Kaelin
Mark W. Kaelin

If you click on the Special Report tag near the top of the blog entry "Windows Patch Tuesday" you will find a RSS icon. Whenever this Special Report gets updated the RSS will update too.

SubgeniusD
SubgeniusD

This is the top of blog entry: It's Windows Patch Tuesday: September 2008 Tags: windows, software, patch tuesday There are no other tags. I've clicked and searched all over the place for 15 minutes and give up. But thanks for trying.

Mark W. Kaelin
Mark W. Kaelin

Look for: Special Reports ? See more posts on: Windows Patch Tuesday

johnchris
johnchris

"KB900325: This is a big rollup patch for Media Center 2005. It also adds a number of additional fixes, all of which are minor. If you are running Media Center 2005 and haven?t patched it in a while, you will want to install this; otherwise it is not a ?right now? item." Why do you bring this up now? As far as I can make out, Microsoft issued this in 2005. jcg

Justin James
Justin James

You know, you are 100% correct. Microsoft puts out a list of the items in "patch Tuesday", and this one was on the current list. Looking at the KB, I can see that it is an older one as you say. Lesson learned: double check the dates when looking at the items! Thanks! J.Ja

normhaga
normhaga

>"MS08-053/KB954156 - Critical: This patch fixes a security problem in Windows Media Encoder 9, for all versions of Windows. ... [u]The rays of sunshine here are that the bug was not reported yet[/u]." Hogwash, I have known about this exploit for a year or more. Ditto with the one above regarding the GDI exploit. Neither required Administrative privileges. I could probably dig out the links explaining the exploit when it was zero day from my backups.

Justin James
Justin James

This is certainly not the first time that a bug with that description has plagued Windows. I would not be surprised in the slightest if the one you are thinking about is an older one. The KB on this one claimed it needed Admin rights and was previously unreported, so I would be inclined to beleive that you are thinking of a previous itertion of this. Of course, it makes me ask, "since they know these kinds of bugs come up, why do they keep finding them instead of getting them all fixed up front?" J.Ja

normhaga
normhaga

But then it begs the question of why it was not fixed the first time? It also begs "What hidden feature for MS is MS covering with this?"

Justin James
Justin James

Yeah, that's something that we unfortunately see a lot, not just in Microsoft apps, but *particularly* in Microsoft apps. Someone discovers a particular vulnerability, the vendor fixes that instance of it, but doesn't look for similar bugs, 6 months later ANOTHER patch comes out to resolve the same problem in a different part of the software. I don't care to think of how many times I've now seen the "a malformed multimedia file in Windows Media Player can give control to a hacker" issue get fixed. It's maddening! J.Ja

ebsfrmr
ebsfrmr

Great concept, thank you! In fact, today I had a situation occur where I wonder if the update created an issue for my 3 month old Dell Vista computer. Late Tuesday night my computer became unresponsive, so I shut it down. When I rebooted it, it had 3 updated to install. This morning, I booted my computer and it ran a CHKDSK routine for a couple hours...not sure if it is related to the Windows update, or if I have another issue. No other software was installed this week, or settings changed. Seems to be running okay...any ideas?

Justin James
Justin James

I know that one of the updates is designed to resolve problems where the "Software Readiness Tool" (part of the update process) would hang, but at the same time, it didn't mention that the computer would be fully unresponsive. Did Event Viewer provide any clues? J.Ja

ebsfrmr
ebsfrmr

Everything looks logical, I can see the events showing warnings about some updates not being acceptable (KB905866, KB938464, KB954154, KB954366M, KB954154), And finally a notice that KB954366 requires a reboot, and the final message stating Restart Required to install all the updates... I am not sure why the CHKDSK scan was "scheduled" at the time of boot up yesterday morning...can not see anything alarming. My guess is, if no one else is reporting problems then I must have something else going on. This forum is proving to be a big help in eliminating possible causes. Thanks,

nerdy_gurl
nerdy_gurl

I have hoped someone would do this for a long time. At the small business where I work we've been doing a lot of code updating on our Office 07 Access front end (coupled with SQL Server 2005). I have been a little more cautious with MS updates lately, and waiting on SP3 for XP so far except for one test machine (mine). So this very helpful resource is real nice to have! Liz T. (edit) Not fully 'alive' when I posted this in the wrong place --sorry!!

Top.Gun
Top.Gun

Great idea. Would be better if it is available sooner, but keep it up.

Justin James
Justin James

Yeah, as I posted above, I waited until Microsoft released the details of the security patches to put this out. I'll bring up the idea of posting it and updating it as more details become avilable, which could stretch over a few days, since the non-security stuff gets published a few days early. J.Ja

harkn
harkn

After a disastrous patch episode, I set Windows Update to notify only, then wait to see if any problems are reported. Aside from requiring that I be alert to those reports, this method increases the window of vulnerability and subjects us to the annoying reminders that interrupt productivity. Your service is a boon to everyone who can't decipher the cryptic patch descriptions in order to determine the local importance, and I intend to depend upon it as a reliable guideline from which to make decisions. Thank you!

Old-Fart-IV
Old-Fart-IV

I also received the following updates for an XP machine: Article ID : 952241, Bulletin ID : MS08-052 A security issue has been identified that could allow an attacker to compromise your Windows-based system running the Microsoft Visual Studio 2008 and gain complete control over it. Article ID : 951944, Bulletin ID : MS08-055 A security vulnerability exists in the 2007 Microsoft Office System and the Compatibility Pack for the 2007 Office System that could allow remote code execution. Article ID : 954326, Bulletin ID : MS08-052 A security vulnerability exists in Microsoft Office system 2007 that could allow arbitrary code to run when you open a maliciously modified file. This update resolves that vulnerability.

Justin James
Justin James

That first and third patch you mention are actually related to the first one listed in the article (same security bulliten, different KB; the KB I reference includes information about them). I probably should have spelled this out more though. The "malformed image" issue affects Visual Studio & Office (warning!). the second one must be an Office-specific one. Thanks for the updates! J.Ja

medbiller
medbiller

3 months ago I acquired my brand new DELL XT Tablet PC with Vista Bussiness. I installed SQL 2005, Visual Studio 2008 and a few other utilities. I ran a Disk Cleanup just to get familiar with the new OS. IT WIPED OUT ALL MY INSTALLED PROGRAMS! Hope this patch fixes that, but I'm afraid to test. Great section. Keep up the good work.

Justin James
Justin James

This is a new item for us, we would loveto hear your feedback! Was this useful to you? Not useful? How can we improve it to help you do your job? Thanks! J.Ja

JimTheEngineer
JimTheEngineer

When you talk about a patch, could you specify in the first line which of the Windows versions this applies to, or if it applies to a specific program (say, Outlook), specify if you can ignore it if you never use that program. Thanks! - Jim

rmlounsbury
rmlounsbury

As everyone else has stated already... THANK YOU! It is really ironic because I was just poking around the net earlier today for a Patch Tuesday review site. It hasn't happened but on rare occasion that Microsoft neutered my servers with a Patch Tuesday release.

BEAR1BEAR
BEAR1BEAR

It would be nice if with the patches you also included which OS they're for. Not everyone has abandoned XP & 2000 in favor of Vista.

Justin James
Justin James

In some of them I do mention the version of Windows affected, but I could have made it more obvious. I will be doing this from here on out. Thanks for letting me know! J.Ja

SubgeniusD
SubgeniusD

Just want to add my congratulations for yet another excellent TR idea and service. As a subscriber to several TR bulletins I almost always visit here from these emailed notifications. Would it be possible to include this Patch Tuesday outline in the list of available subscriptions? That way it would be sent immediately and not as part of another bulletin - in this case the XP tips, which came 2 days later. Thanks again JJ. DanH.

john3347
john3347

This information, in "street" language, is severely needed and equally useful. I also would love to be able to subscribe to a regular report of this nature. Thanks for a fine job on this one Justin. (edited to correct a misspelling)

Mark W. Kaelin
Mark W. Kaelin

Click the Windows Patch Tuesday Special Reports tag and then click the RSS feed link to subscribe.

SubgeniusD
SubgeniusD

Thanks. I wasn't looking at the original article where that info is clearly presented.

Mark W. Kaelin
Mark W. Kaelin

It says: Special Reports ? See more posts on: Windows Patch Tuesday That is where you can pick up the RSS feed.

SubgeniusD
SubgeniusD

Thanks but these are the only tags SeaMonkey sees: It's Windows Patch Tuesday: September 2008 Tags: windows, software, patch tuesday

Justin James
Justin James

Dan - First off, I'm glad that this was helpful to you! I will be sure to pass this suggestion along, too. I am sure that at the absolute worst, you could probably get Google News or a similar site/service to let you know when we get a new one out there. Another "hack" here, is that we are working to get these published within a few hours of Microsoft making the patch details public. This month, that happened around noon/early afternoon EST on "Patch Tuesday" (the second Tuesday of the month), and we had this up before close of business EST. J.Ja

Justin James
Justin James

First off, thank you to *everyone* for their incredibly kind comments! We are glad that we were able to put something out that people are really using. From the feedback we have gotten so far, it seems like the timing is something that we need to look at. We are kicking around some ideas to see what we can do to get the information in your hands even earlier while still having to live with Microsoft not getting out all of the information until the last moment, and then needing to do the analysis and write up of it. If you have any ideas on that, we would love to hear them! Please keep the feedback coming so we can make this the best possible resource for you! J.Ja

fmcgann
fmcgann

Oh, man! This little tool is way overdue! Ditto to ALL posts! Thanks for your effort in developing this process- I know it's time consuming.

rbrooks
rbrooks

Justin you are the man!!

StephenInScotland
StephenInScotland

This is an excellent idea. Please keep it going. My only gripe is this one is a bit late. The first 2 patches came up and were installed 2 days ago on my machine. But at least I know I did the right thing. (ps a previous article you did on SP3 for XP proved a life saver. I followed a link from the article which warned of issues with my motherboard and having to stick a USB drive into the MB USB slot to get it to boot. Without this I was looking at a full reformat. Thanks)

gbhall
gbhall

even this late, I would find it useful to review the link you refer to about SP3 problems.

Justin James
Justin James

Glad that you liked it! Unfortunately, while Microsoft often releases some or all of the non-security related patches in advance, or at least posts KB's about them, many of the security patches are not documented until the last moment. This is because they fear (right or wrong) that if you document a bug, or describe a patch for a bug that is not a publically known bug, that it gives "the bad guys" a chance to develop exploit code before the patch is released. In this case, the non-security patches were actually described on 9/4/2008, but the security patches were not described until 9/9/2008, a bit after noon EST. So yes, while we were a bit behind on the non-security stuff, we were within hours of the security stuff. I'll talk to the team here, and see if maybe what we want to do is to release an "early version" with the non-security stuff, and then update it as more details become known. I can think of some good points and some bad points to that though. J.Ja

eric
eric

This is a great resource to have! Thanks for the contribution.

network admin
network admin

Bless you, bless you, bless you! You have made my life that much happier! Look forward to readying these every month!

Dumphrey
Dumphrey

its a very good round up and in a familiar place =) Long overdue is right! I test them all befor releasing them, but this saves me from reading EVERY kb... bless you!

Marty-7
Marty-7

MS Security bulletins are very poorly written, so I find this extremely valuable. Plain English versions - no nonsense, tells you why, what's 'hot' and what's not. All on one page. Love it to pieces! PLEASE do it again next month!

john.aboud
john.aboud

Immensely helpful. Makes my job MUCH easier! Thank you VERY much. See you next month.

lobrutto
lobrutto

good job, wish ms would do it as well as you did.

Ceespace
Ceespace

My version of XP downloaded and installed SP3 on monday - then I spent tuesday trying to get VB6 to work with the webbrowser component (again) While doing this I came across the immense list of what SP3 fixed in a very abbreviated form. It would be great to get a more detailed and why we need this look at these when they come out

rasilon
rasilon

Excellent!! I think we all have been waiting for a tool like this to explain in relatively simple terms what the patches are, what they do and the need for them. Makes it much easier telling my users about Patch Tuesday and why it is a "good thing"...Thanks for this.... Hank Arnold (MVP)

Editor's Picks