Microsoft: August 2006 Archives

MS06-042 is causing issues with CA Servicedesk even when XP sp2 is the Operating System. The previously reported fix for MS06-042 is for Windows 2000 and XPsp1 only. There is an announced MS06-042 rerelease of MS06-042 due by August 22nd. The release is said to be for all versions of IE6sp2. Its hoped that means this problem will be resolved. Some people think the release will only contain the currently available hotfix.

The SANS ISC covers the issue here.

SANS mentions the MS06-042 problem that I spoke of here. They are reporting that Internet Explorer crashes when accessing some websites while using WINXPSP1 or Windows 2000. They mention Peoplesoft web applications in particular.

A hotfix is now available at http://support.microsoft.com/kb/923762/en-us

I first saw this over at myitforum and verified it in my own testing. After applying MS06-042 to a Windows 2000 sp4 computer, I am unable to go to www.theregister.co.uk using IE6sp1. IE crashes and offers to send a report to Microsoft.

I've checked over the known issues and caveats, and I dont see the problem listed clearly there. It could be that TheReg needs to clean up their code a bit. I also called my TAM who hasn't heard of that being a known issue (other than the caveats regarding activex and java). The Register is a major tech news site, so I'm expecting to hear more about this.

This could be interesting because 35-40% of my enterprise has Windows 2000. How many sites could potentially have similar problems. What's odd is that the front page of www.theregister.com doesn't have this issue, its only when I click on links which then call the mothersite that a problem occurs. I think its something in their advertising.

UPDATE - My TAM has recommended disabling HTTP 1.1 as a workaround. I wasn't able to reproduce the problem today, so I didn't try that. I have heard that the problem is with sites using compression and that an update will be out this week.

Should Microsoft Update Patch Third Party Device Drivers? Alan Paller says yes.

Would the patches be deployable through SMS SUS Security Updates or ITMU? I'm not sure they could do that before the next SMS update. If its only available through Microsoft Update, that doesn't do me a lot of good.

I'm not sure why Alan thinks that Microsoft should patch everything on the system. Perhaps they should update drivers that came on their own Windows distribution CD, but in most cases the drivers are installed by the OEM not Microsoft. Its like asking Microsoft to provide patches for Winamp.

Its already incredibly difficult for them to fully q/a their own patches. Imagine trying to q/a third party device drivers. I think the emphesis should be on using SMS to make it easier to deploy these third party apps. The SMS 2003 R2 CAB system that Flash 9 is taking advantage of is probably the right direction.

Our vulnerability scanner is reporting some servers as vulnerable to MS06-038, which is a vulnerability in powerpoint. It is detecting this because C:\Program Files\Common Files\Microsoft Shared\OFFICE*\MSO.DLL is the wrong version. These systems for the most part don't have office on them. MSO.dll also gets installed as a component of Visual Studio.

When you look at the list of effected components for MS06-038 here, it lists Visual Studio. But then in the security bulletin itself, there is no mention of it.

It is my understanding that the vulnerability is in mso.dll so the system could still be vulnerable. The question is how to fix it?