| Microsoft to release out-of-band security update 11/23 that impacts Windows. Exploit code must either be out there or close to it. *gulp* | |
|
| I've recently had a spat of clients who were not able to select Restart Later when they received updates via Automatic Updates. I validated that they should in fact be able to perform this function - Elevate non-admins was enabled and the updates did not have a deadline within WSUS. After quite a bit of investigation, we figured out what the cause for us was. As always, your mileage may vary.
In the registry, under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate, there was a key DisableWindowsUpdateAccess with a value of 1. That indicates that a policy, either Group Policy or Local Policy, is in effect. You can attempt to delete the key, but any sort of policy will put it back upon refresh. You can do a gpresults to figure out which.
For me, it was a local policy, so I launched GPEdit.MSC, navigated to User Configuration\Administrative Templates\Windows Components\Windows Update, selected Remove Access to use all Windows Update features, and changed it to Disabled. This is one of those great double negatives of policy - disable the removal of access means that it's effectively enabled. | |
|
| - Tags:tv, wsus
- Mood:I got nothin'
| |
|
| “This download installs Microsoft® Windows® Script containing Visual Basic® Script Edition (VBScript.) Version 5.7, JScript® Version 5.7, Windows Script Components, Windows Script Host 5.7, and Windows Script Runtime Version 5.7.” Windows Script 5.7 for Windows 2000 (Yeah, I am surprised by this one myself…) Windows Script 5.7 for Windows XPWindows Script 5.7 for Windows Server 2003I do not know what additional functionality this new version provides. I have not seen this updated on WSUS either. EDIT - It's worth noting the there is no Vista update, because Vista already have WSH 5.7. | |
|
| Short post - Install your critical update MS07-017 now, either by letting Automatic Updates do it's job or visiting Microsoft Update. This one is already being exploited. For those security minded folk, the Microsoft Security Reponse Center blog has a great article about what this is, how clients can be impacted, and why this was an out of band release. | |
|
| I postulated the other day that, with the new Office 2007 category showing in WSUS right before Patch Tuesday, we'd been seeing the first security updates. Well, not so much. Patch Tuesday has come and gone, and while there were many Office updates, none for the 2007 version. Hummm. We also failed to receive a Vista security update. Could it be that Microsoft actually... I dunno ... might have done something leaning towards making things more secure? | |
|
| Per the WSUS team blog, there will be a new category for Office 2007 in WSUS starting today. Given the the advance notification lists two bulletins for Microsoft Office and one affecting Windows and Office coming out on Patch Tuesday, I'm thinking we're going to get our first Office 2007 security bulletin a mere weeks after consumer product launch. | |
|
| Remember how I was pondering when SMS became a category within WSUS? Well, yesterday Microsoft released SMS SP2 to WSUS. Now, through WSUS, you can update your SMS environment. There's just something wacky about that... The upside of this, though, is that I think we can actually push out the revised SMS console to machines via WSUS when the service pack is applied to the server. Of course, why you would ever do that function that way I don't know... - Tags:sms, wsus
- Music:Dinah Washington - Why Was I Born?
| |
|
| Okay, when did Systems Management Server (SMS) become a category in WSUS? Did I miss a memo? Especially when the next version of the product will have a totally different (and, in my mind, dispised) name (System Center Configuration Manager 2007).
Also, for the first time, Windows Media Player (version 11), Windows Rights Management Services Client (w/SP2), and Remote Desktop Connection (version 6) are deployable via WSUS. Very interesting.... | |
|
| Wow. That was frighteningly simple. The client's think they are getting a security update just like they normally get, and BOOM! IE7 is installed.
Of course, I did everything with local administrative privs. Tomorrow, I try all of this again with user privs. This has been a stumbling point with IE previously, since you had to have administrative credentials to log in the first time after reboot for everything to go well. - Tags:ie7, wsus
- Location:Rialtus' Lab
- Mood:shocked
 - Music:Edie Brickell & The New Homemians - What I Am
| |
|
| http://blogs.technet.com/msrc/archive/2006/09/26/459194.aspxHey everyone, Craig Gehre here. We’re in the process of releasing out of band update MS06-055 to address the VML issue. At the moment, Windows Update, Microsoft Update, and Autoupdate are live. We’re in the process of publishing the bulletin, associated packages, and updated content for WSUS, MBSA1.2.1, EST, and MBSA 2.0 to the Microsoft download center and normal locations and those should be up shortly. Until that time the links might not work in the bulletin until the packages appear on the download center. The WSUSscan.cab for SMS and MBSA 2.0 users is also in process and will be published soon. We’ll provide a follow-on blog post shortly once we get everything up. We're also re-releasing MS06-049 for Windows 2000 users and will have that information up shortly as well. -Craig | |
|
| Meant to put this out yesterday to y'all, but ran out of time. Yesterday, Microsoft released their monthly battery of security updates, and one of them is fairly ciritical. The exploit of this vulnerability would allow anonymous users to be able to run anonymous code, and according to Microsoft, there is already exploit code available. I figure it's only a matter of time before that code becomes automated and results in a nasty virus. So if you run a moderm Windows operating system (Windows 2000, XP, or Windows Server 2003), do yourself a favor an get to Microsoft Update and apply the security updates -- specifically MS06-040 (KB921883). If you are system admin, start testing with WSUS/SMS/manual technologies, and get this to your clients. | |
|
| http://blogs.msdn.com/ie/archive/2006/07/26/678149.aspxThat's right. IE 7 will be able to be implemented through Automatic Updates as a Critical patch, planned for later this year. Presumably, this also means WSUS will get this. I'm curious about how SMS 2003's ITMU will address this. At this time, XP SP2 is the target for desktop -- no plans for W2K SP4 or XP SP1. Vista will have this bulit in would be my guess. On the server side, it's Windwos Server 2003 SP1, again with no plans for W2K or Windows Server 2003 RTM. Presumably, Longhorn will have this built in. From TFA: We are also providing a Blocker Toolkit for our enterprise customers who may want to block automatic delivery of IE7 in their organizations; this blocker has no expiration date. Enterprise customers can download the free Blocker Toolkit from the Microsoft Download Center today. We’ve also made additional information for IT administrators available at the Windows Update/Microsoft Update site on TechNet. Further, regarding the Blocker Toolkit, from the download site: Organizations do not need to deploy the Blocker Toolkit in environments managed with an update management solution such as Windows Server Update Services or Systems Management Server 2003. Organizations can use those products to fully manage deployment of updates released through Windows Update and Microsoft Update, including Internet Explorer 7, within their environment. | |
|
| We just got a rash of clients calling in with failures for KB873352, which is the MS05-005 update for Office XP. We're investigating this as we speak. This post will be updated with new info as I have it. Looks like Microsoft updated the Office XP Service Pack 3 bits overnight. They are now dated July 11, 2006, which is NEXT Tuesday -- specifically Patch Tuesday. This can't be a coincidence. Per http://support.microsoft.com/gp/lifean21 -- "Mainstream Support for Office XP is scheduled to end on July 11, 2006." There's that date again. | |
|
| When using WSUS or Windows Update, trying to install XP SP2, you'll get error 0x8007f0f4.
Chances are this is a laptop or tablet machine. Believe it or not, this error means you are not on AC Power. On tablets, even when plugged into AC, sometimes the computer will think it's running in battery mode and not install the update. You can validate this by going to the Control Panel, Power Options, and the tab Power Meter.
Solution: Plug into AC Power. If you already were, shut down, remove the batteries, plug into AC Power, and try again.
Told you it was esoteric... | |
|
| I've been fighting an issue with both my Automatic Updates service and Background Intelligent Transport Service stopping on client machines. Automatic Updates is failing with Event ID 7023 from Service Control Manager, with the description "The class is configured to run as a security id different from the caller" and BITS is getting an Event ID 7024 also from Service Control Manager, with the description "The Background Intelligent Transfer Service service terminated with service-specific error 2147500053 (0x80004015)." This could also be related to SMS agents not downloading policy from the associated Management Point. ( More techy-talk inside the cut )- Tags:sms, wsus
- Mood:frustrated
 - Music:A boring staff meeting
| |
|
| |
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
rialtus
