XP SP3 "Optional" Hotfixes...

[neowillendit]

Wut up fellow MSFN Brothers,

I just came across an article a few days ago: http://blogs.zdnet.com/security/?p=2410 about XP not disregarding autorun files on removable media regandless of the registry setting and was informed that there was a hotfix patch for it, which was "optional"...

My question is...since this is what I consider a security concern in my eyes, where can I go to find out about these "optional" hotfixes? I go to Windows Update once a month...I check multiple blogs and article sites...how do I miss things like this...and where can I go to find out the other hotfixes that aren't being offered to me, so that I can decide for myself?

Is there a third party website that keeps track of these? Is it posted on MSDN Forums? Any help is appreciated.

Thank you kindly in advance.

[neowillendit]

Please help me fellow Brothers...

[cluberti]

Note that these are indeed "hotfixes", QFE fixes that are relatively untested compared to the regular updates from WU. Installing these is up to you (and you can find most of them on the microsoft.com site, they're all KB'ed), but it might make your install do things you may not want due to potential bugs that won't be found until people use these outside the environment / customer they were written for....

[neowillendit]

Thanks "Cluberti"...I'm wondering if there is some sort of site, by Microsoft or not, that maintains a sort of list of these so that I can decide for myself and not scour through KB articles for years backwards. Please inform me.

[Glenn9999]

My question is...since this is what I consider a security concern in my eyes, where can I go to find out about these "optional" hotfixes?

It has turned into a real security concern. But Microsoft only patches what they want to patch. As my understanding goes, this is a real Vista security patch, yet it hasn't shown up on XP - wonder why? (and yes I know the answer)

See

http://www.us-cert.gov/cas/techalerts/TA09-020A.html

http://www.msfn.org/board/index.php?showtopic=129051

http://www.msfn.org/board/index.php?showtopic=128880

[cluberti]

If you don't like the fact that a security update is not on WU for a specific platform, consider harassing Microsoft about it. If no one complains, it won't change.

I agree, this should probably be on WU for W2K, XP, and 2K3 systems as well as Vista/2008, and although it does require a reg change to make it effective it still seems like it should be public.

[James_A]

Note that these are indeed "hotfixes", QFE fixes that are relatively untested compared to the regular updates from WU.

Some are, some aren't. Although there are plenty of QFE's in the Microsoft KB, usually recognised by the words Hotfix Available and the fact that you have to email or otherwise contact Microsoft PSS to obtain them, there are also fully supported Public updates that, for one reason or other, are availabe from the Download Center, but are not offered by WU.

One way to discover these (to answer the OP's second point) is to use the Download Center's own search facilities, which can be ordered to show downloads by reverse date (latest first) rather than by Popularity.

... it still seems like it should be public.

This particular one already IS Public:

http://www.microsoft.com/downloads/details...;displaylang=en

Actually, this particular update has a chequered history, because the original vulnerability was only on Vista, not on XP. Fixing the AutoRun behaviour was incidental. Microsoft have privately admitted that releasing the non-Security update for XP with the same KB950582 as the Security Update for Vista was a mistake.

Of course, since it was released in early 2008, everyone is now panicking about AutoRun because of the spread of the Conficker/Downadup worm and KB950582 on XP has gained a new Security status.

... although it does require a reg change to make it effective ...

Not exactly, there's no need to do anything because the update makes the change for you. See the HonorAutorunSetting information given HERE for the full explanation.

.

[cluberti]

Some are, some aren't. Although there are plenty of QFE's in the Microsoft KB, usually recognised by the words Hotfix Available and the fact that you have to email or otherwise contact Microsoft PSS to obtain them, there are also fully supported Public updates that, for one reason or other, are availabe from the Download Center, but are not offered by WU.

Note I was speaking about "the list", not this specific update. QFE's are indeed not public nor available on WU (unless we're talking about IE updates, in which case these are on WU but you won't be on QFE unless you do it manually once... I digress).

Actually, this particular update has a chequered history, because the original vulnerability was only on Vista, not on XP. Fixing the AutoRun behaviour was incidental. Microsoft have privately admitted that releasing the non-Security update for XP with the same KB950582 as the Security Update for Vista was a mistake.

I am aware of this - again, not speaking of this specific update particularly. I know the history behind this particular update intimately.

Not exactly, there's no need to do anything because the update makes the change for you. See the HonorAutorunSetting information given HERE for the full explanation.

And in this you are correct. My mistake.

[James_A]

Some are, some aren't. Although there are plenty of QFE's in the Microsoft KB, usually recognised by the words Hotfix Available and the fact that you have to email or otherwise contact Microsoft PSS to obtain them, there are also fully supported Public updates that, for one reason or other, are availabe from the Download Center, but are not offered by WU.

Note I was speaking about "the list", not this specific update. QFE's are indeed not public nor available on WU (unless we're talking about IE updates, in which case these are on WU but you won't be on QFE unless you do it manually once... I digress).

I was speaking about the list too... And I am aware of forcing the QFE branch too... But none of this "clarification" of each other's posts is helping the OP, so I shall stop right there.

The fact remains, as the public sees it, that there are updates released for Windows which do not make it to WU and they don't all fall into a single category when it comes to level of testing and support. How does one find these? There is no summary page or list provided by Microsoft. It all depends what one means by "optional" as well.

There are websites dedicated to listing all the Hotfixes that fall into the "available on request" category -- but as for those that are freely available by just clicking the "Download" button (like the example already quoted) there is, paradoxically, less available information, so I have suggested one (slow) way: search the Download Center manually -- maybe with a search like http://www.microsoft.com/downloads/Results...rtCriteria=date.

Also, if you can speak, or rather read, German, then http://patch-info.de (run by Ottmar Freudenberger) is very quick to report all manner of updates.

.

[neowillendit]

Thank you "James A" for your insightful answer. I've just went to the German site you've provided me with (no, I can't read German so I'll be using Google Translator or something) and the site looks very intriguing indeed.

Thank you again.