Electrician Posted July 6, 2005 Posted July 6, 2005 That makes sense - seeing how two updates for IE are folded into the MS URP (excuse me )MS05-014 Cumulative security update for Internet Explorer 867282 andMS05-020 Cumulative security update for Internet Explorer 890923.Bulletin Article title MS02-050 Certificate validation flaw might permit identity spoofing 317636 MS03-008 Flaw in Windows Script Engine may allow code to run 814078 MS03-022 Vulnerability in ISAPI Extension for Windows Media Services may cause code execution 822343 MS03-023 Buffer overrun in the HTML converter could allow code execution 823559 MS03-025 Flaw in Windows message handling through Utility Manager could enable privilege elevation 822679 MS03-026 Buffer Overrun in RPC May Allow Code Execution 823980 MS03-030 Unchecked Buffer in DirectX Could Enable System Compromise 819696 MS03-034 Flaw in NetBIOS could lead to information disclosure 824105 MS03-039 A buffer overrun in RPCSS could allow an attacker to run malicious programs 824146 MS03-041 Vulnerability in Authenticode Verification Could Allow Remote Code Execution 823182 MS03-042 Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution 826232 MS03-043 Buffer overrun in Messenger service could allow code execution 828035 MS03-044 Buffer overrun in Windows Help and Support Center could lead to system compromise 825119 MS03-045 Buffer overrun in the ListBox and in the ComboBox Control could allow code execution 824141 MS03-049 Buffer Overrun in the Workstation Service Could Allow Code Execution 828749 MS04-006 A vulnerability in the Windows Internet Name Service (WINS) could allow code execution 830352 MS04-007 An ASN.1 vulnerability could allow code execution 828028 MS04-008 Vulnerability in Windows Media Services could allow a Denial of Service attack 832359 MS04-011 Security Update for Microsoft Windows 835732 MS04-012 Cumulative Update for Microsoft RPC/DCOM 828741 MS04-014 Vulnerability in the Microsoft Jet Database Engine could permit code execution 837001 MS04-016 Vulnerability in DirectPlay could allow denial of service 839643 MS04-019 A vulnerability in Utility Manager could allow code execution 842526 MS04-020 A vulnerability in POSIX could allow code execution 841872 MS04-022 A vulnerability in Task Scheduler could allow code execution 841873 MS04-023 Vulnerability in HTML Help could allow code execution 840315 MS04-024 A vulnerability in the Windows shell could allow remote code execution 839645 MS04-030 Vulnerability in WebDAV XML message handler could lead to a denial of service 824151 MS04-031 Vulnerability in NetDDE could allow remote code execution 841533 MS04-032 Security update for Microsoft Windows 840987 MS04-037 Vulnerability in Windows shell could allow remote code execution 841356 MS04-041 A vulnerability in WordPad could allow code execution 885836 MS04-043 Vulnerability in HyperTerminal could allow code execution 873339 MS04-044 Vulnerabilities in Windows Kernel and LSASS could allow elevation of privilege 885835 MS04-045 Vulnerability in WINS could allow remote code execution 870763 MS05-001 Vulnerability in HTML Help could allow code execution 890175 MS05-002 Vulnerability in cursor and icon format handling could allow remote code execution 891711 MS05-003 Vulnerability in the Indexing Service could allow remote code execution 871250 MS05-008 Vulnerability in Windows shell could allow remote code execution 890047 MS05-010 Vulnerability in the License Logging service could allow code execution 885834 MS05-011 Vulnerability in server message block could allow remote code execution 885250 MS05-012 Vulnerability in OLE and COM could allow remote code execution 873333 MS05-013 Vulnerability in the DHTML editing component ActiveX control could allow code execution 891781 MS05-014 Cumulative security update for Internet Explorer 867282 MS05-015 Vulnerability in hyperlink object library could allow remote code execution in Windows Server 2003 888113 MS05-016 Vulnerability in Windows Shell that could allow remote code execution 893086 MS05-017 Vulnerability in MSMQ could allow code execution 892944 MS05-018 Vulnerabilities in Windows kernel could allow elevation of privilege and denial of service 890859 MS05-019 Vulnerabilities in TCP/IP could allow remote code execution and denial of service 893066 MS05-020 Cumulative security update for Internet Explorer 890923 April 30 was last update included in rollup
Gurgelmeyer Posted July 6, 2005 Author Posted July 6, 2005 The IE so-called "cumulative" updates are a mess these days. Especially the IE6 ones - because they are not always cumulative, there are some times 2 updates with different KB #'s - one for admins and one on WU, and most IE6 security updates contain more than one version of the same binary. In w2k3 it gets even better: different versions of the same file sometimes share the same build number. Must be a nightmare for admins What actually gets installed is yet another thing to be conserned about. When installing IE6 one file which has to do with security/encryption seems to be kept permanently in the pending file-rename operations queue on w2k. The reason is, that it has a lower version number than the built in file with the same name, so the .inf installer doesn't replace the one in the dllcache.Anyway - thanks guys for clearing this up. You saved me a lot of time :
Russ Posted July 6, 2005 Posted July 6, 2005 Things just keep getting better. I hope you're keeping track of how you did all of this, because I for one would find it to be a really interesting read.
slippykillsticks Posted July 7, 2005 Posted July 7, 2005 But if he wanted to keep it a secret, I wouldn't see a problem with that. A guy with the kind of smarts he has should be able to have a few "trade secrets."
hoak Posted July 8, 2005 Posted July 8, 2005 (edited) Gurgelmeyer!? I know you have your hands full with work and commitments a plenty that will likely keep you busy indefinitely -- but I have to ask: How about an "Unofficial Gurgelmeyer/Microsoft JVM Roll-up"?A lot of people still prefer the Microsoft JVM over Sun's Java JRE as it's: smaller, required for and/or still faster for some applications, and with all its patches as secure as Sun's JRE. The last release of the JVM was 3810 (available here and elsewhere) but there are a confusing slew of patches... As some would like to install the JVM and others JRE it would be nice to be able to install a fully updated Microsoft JVM that was secure from go, rather then having to search for 3810, then have to remember to go to Microsoft Update and pick the JVM updates. This would also (ideally) make cleanly installing and uninstalling the Microsoft JVM a clean and simple one step process...This project would benefit Users of ever flavor of Windows -- 2000, XP, and Server 20003. As your understanding of Microsoft's patch and packaging system internals seems to be the best in the biz, it would be nice if you were the guy to give this 'the Gurgelmeyer treatment', to see it done right -- if and/or when you'd have time to get around to such a thing... Edited July 8, 2005 by hoak
RyanVM Posted July 8, 2005 Posted July 8, 2005 (edited) and with all its patches as secure as Sun's JRE.<{POST_SNAPBACK}>And it's loosely based on Java circa 1997EDIT: http://www.msfn.org/board/index.php?showto...ndpost&p=186239 Edited July 8, 2005 by RyanVM
fdv Posted July 8, 2005 Posted July 8, 2005 <sigh>RyanVM isn't trolling. Did you read the linked material? MS doesn't include it's Java in its operating systems anymore. It was a victim of their embrace and extend, had security flaws, got lotsa patches, Sun won the lawsuit, MS dropped their proprietary version. Which is, in fact, a JVM based on version 1.1, which dates from 1997.(Not saying it's good or bad, simply explaining that when RyanVM says what he says, he isn't trolling)
hoak Posted July 9, 2005 Posted July 9, 2005 (edited) RyanVM isn't trolling. Did you read the linked material?Yes, did you? In fact I read the thread in entire, and the title/topic post only emphasizes the point I made here, and that others were trying to make in the MS JVM thread that RyanVM's post has no bearing on and is not pertinent to... MS doesn't include it's Java in its operating systems anymore.Yes, I know, it should be pretty obvious I acknowledge this in my post...It was a victim of their embrace and extend, had security flaws, got lotsa patches, Sun won the lawsuit, MS dropped their proprietary version. Which is, in fact, a JVM based on version 1.1, which dates from 1997.Well thanks for the embellished, incomplete and not entirely accurate history lesson; but I really don't need one, and it has virtually no bearing on the veracity of the MS JVM for those that need or perfer it for specific applications. (Not saying it's good or bad, simply explaining that when RyanVM says what he says, he isn't trolling)Well then call it a post not germane to the topic; I seriously doubt that most people that post to these fourms don't know the history of the Microsoft/Sun/Java litigation in considerable detail that is way beyond the scope and not germane to the topic.... What you and RyanVM clealy miss, misunderstand or ignore is the value and veracity of the MS JVM; the fact that even though Microsoft no longer officially offers or supports it -- that it still outperformas the Sun's JRE for many applications considerably and is arguably (for your benifit), as, or more secure with Microsoft's updates than the Sun JRE.The point, of the post in this thread is there are those that need the Microsoft JVM for specific applications compiled specifically for or optimised for it -- that either run poorly or not at all on the Sun JRE, and that it would be nice to be able to install and uninstall a secure and fully patched MS JVM... Sorry that this has appearently escaped you (and RyanVM) in both threads... Edited July 9, 2005 by hoak
Gurgelmeyer Posted July 9, 2005 Author Posted July 9, 2005 (edited) Hi all I - for one - still can't do online banking without MSJVM. I already looked into this a few months back, and I've briefly examined the original multi-platform MSJVM package (3802), the W2k SP3 version of MSJVM (3805), the original multi-platform version of Q816093 (3810), and the W2k SP3-only version of Q816093 (3810).Best regards,GurgelmeyerPS - Yes, I'll do it Edited July 9, 2005 by Gurgelmeyer
hoak Posted July 9, 2005 Posted July 9, 2005 Woot! The Magic Penguin strikes again! I'm sorry to have pooped up the thread with this stuff, but it's been so long since I've done without the MS JVM that I can't even remember what Microsoft and 3rd party applications I have that grind to a halt without it. All I can say is: "Are we ever lucky to have Gurgelmeyer!" It will be interesting to benchmark equivelent service setups on a properly patched Gurgelmeyered™ installation of Windows 2000 vs. Server 2003 and Windows XP...
slippykillsticks Posted July 9, 2005 Posted July 9, 2005 PS - Yes, I'll do it <{POST_SNAPBACK}>Cool. B)
fdv Posted July 9, 2005 Posted July 9, 2005 (edited) Hi, gents.This post is not arguing anything whatsoever either way about MS JVM, its users, online banking, security or insecurity of the MS JVM, who or what supports it, or anything else. It's just me doing an MSJVM package for fun.Build 3810 will install only if msjava.dll is on the system, and XPSP2 and Win2k SP4+ don't put it on the system by default. So, I whipped the below up.Here was a RAR file containing the last msjava.dll MS issued (Build 3810 version); it installs in in your /system32. Then, the package runs the 3810 updater. It worked okay and installed MS JVM on my machine. Give it a try. I'll keep it up for a few days, but I don't want major throughput so I'll take it down after a little while.edit: file now removed. (23 folks downloaded it.) Edited July 26, 2005 by fdv
slippykillsticks Posted July 11, 2005 Posted July 11, 2005 Anything new going on here in the last few days? Seemed kinda quiet so I just thought I'd ask.
matthiaselmo Posted July 11, 2005 Posted July 11, 2005 I just got a replacement for my faulty HDD and I'm glad I found this forum thread. I am interested in slipstreaming your SP5 into my Win2K CD before I re-install.Couple questions...1.) I noticed someone mention that having a SP5 installed might cause problems with Windows Update in the future. Any further information on this?2.) How's it coming? My new HDD is burning a whole threw my desk waiting to go into my computer.I wanna be clear that I am not a whiney grabby guy that expects everything in the world for free, etc. If you get it done and when then I'll be thankful, but I am just curious because I want to know if I should bother waiting for it to be finished or if I should just go ahead and re-install w/o it.Thanks Gurgelmeyer, Project looks great. Way to fill the Gap.-matthiaselmo
Recommended Posts