Jump to content

Hotfixes For Windows XP Professional SP1


Aaron

Recommended Posts

Will slipstreaming the Update Rollup 1 (KB826939) into Windows XP SP1 alleviate the need to install any of the hotfixes mentioned in the main list?
Well, of course yes :)
If so (which I assume), which ones?

Here is the list:

810565 Hyperlinks Open in Internet Explorer Instead of in Default Browser or Help and Support Center

821557 MS03-027: An Unchecked Buffer in the Windows Shell Could Permit Your System to Be Compromised

811493 MS03-013: Buffer Overrun in Windows Kernel Message Handling Could Lead to Elevated Privileges

328310 MS02-071: Flaw in Windows WM_TIMER Message Handling Can Enable Privilege Elevation

823980 MS03-026: Buffer Overrun in RPC May Allow Code Execution

331953 MS03-010: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks

323255 MS02-055: Unchecked Buffer in Windows Help Facility May Allow Attacker to Run Code

810577 MS03-005: Unchecked Buffer in Windows Redirector May Permit Privilege Elevation

815021 MS03-007: Unchecked Buffer in Windows Component May Cause Web Server Compromise

329115 MS02-050: Certificate Validation Flaw Might Permit Identity Spoofing

329170 MS02-070: Flaw in SMB Signing May Permit Group Policy to Be Modified

817606 MS03-024: Buffer Overrun in Windows Could Lead to Data Corruption

814033 Cannot Install Driver Updates from the Windows Update Web Site

810833 MS03-001: Unchecked Buffer in the Locator Service Might Permit Code to Run

823559 MS03-023: Buffer Overrun in the HTML Converter Could Allow Code Execution

329048 MS02-054: Unchecked Buffer in File Decompression Functions May Allow Attacker to Run Code

329441 You Cannot Create a Network Connection After You Restore Windows XP

817287 Windows Update 643 Error and the Catalog Database

329390 MS02-072: Unchecked Buffer in Windows Shell Might Permit System Compromise

329834 MS02-063: Unchecked Buffer in PPTP Implementation May Permit Denial-of-Service Attacks

811630 HTML Help Update to Limit Functionality When It Is Invoked with the window.showHelp Method

824146 MS03-039: A Buffer Overrun in RPCSS May Allow Code Execution

Link to comment
Share on other sites


Could I install the Update Rollup 1 without the method MSFN but whith the command /U /N /Z like the other hotfixes ?

[Version]

Signature="$Windows NT$"

MajorVersion=5

MinorVersion=1

BuildNumber=2600

[setupData]

CatalogSubDir="\i386\UPDATE"

[ProductCatalogsToInstall]

[setupHotfixesToRun]

KB826939.exe /U /N /Z

KB824141.exe /U /N /Z

KB823182.exe /U /N /Z

KB828035.exe /U /N /Z

KB821253.exe /U /N /Z

KB825119.exe /U /N /Z

Q828750.exe /Q:U /R:N

Q330994.exe /Q:U /R:N

qchain.exe

Thank's

Link to comment
Share on other sites

I can't understand why don't you mention the critical updates of the last 1-2 weeks ?

The risk of not applying them is VERY high.

MS03-045 : Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)

MS03-044 : Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119)

MS03-043 : Buffer Overrun in Messenger Service Could Allow Code Execution (828035)

MS03-041 : Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182)

Is there at last a page which will provide an archive with all the bat-files and names of the hotfixes maintained by a single person ?

I think it is convinient for the user to be able to install only the updates missing. Can anoyone make it clear and summarize what are installation methods for MS Hotfixes ?

I know WindowsUpdate, WindowsUpdate+SUS services, Shalvik HFNetCheckPro, HFNetCheckLite and a free utility based on MS Baseline security analyzer (there was a posting on ntbugtraq).

Each of these programs have their pros and cons. Windowsupdate needs a Windowsupdate.com website (which is not good if the user doesn't have a high-speed connection) or a SUS server to operate (it requires a separate server machine).

The Commercial Shalvik program can download and install patches of any language. Actually I haven't tried the download possibility because of using only it's free version. But for my opinion it's a very slow program with bloated interface.

The free util I mentioned can accept input from MS baseline security analyzer (command line util) or HFnetCheckLite. It install patches remotely, and even can parse the mssecure.xml and try to download the patches from MS website. Then it can generate a webpage about the updates it could not download. Downloading these is a pain of choosing the right language, then renaming it into Qxxxxxx (there may be human errors in this manual step).

Can anyone give a simple solution for automatic download and deployment of multilingual hotfixe (for example, in Russia we use both English and Russian versions of Windows)? This solution should apply not only to security specialists but also common users.

Microsoft would never raise the security of it's products if it doesn't provide a simple and FREE way of doing that !

Link to comment
Share on other sites

I can't understand why don't you mention the critical updates of the last 1-2 weeks ?

The risk of not applying them is VERY high.

MS03-045 : Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)

MS03-044 : Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119)

MS03-043 : Buffer Overrun in Messenger Service Could Allow Code Execution (828035)

MS03-041 : Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182)

All these are on the first post in this thread... gotta read it all :)

Link to comment
Share on other sites

AaronXP, first of all I want to say you are my hero. I have been working on unattended setups since NT4. The slipstreaming introduced with Windows 2000 I always thought was a good idea but I never messed around very much with slipstreaming hotfixes because it was always so complicated and the frequency of patches emanating from Redmond precluded me from devoting serious effort to each one. My vote is we lobby for hotfixes to support the -s parameter so they can be painlessly slipstreamed to an I386 source just as with the service packs.

A few nitpicky things: I noticed you don't include any IIS patches, most notably Q811114. This may or may not be "by design" but I think it's worth pointing out. I use the [Components] section of my unattend.txt to turn on several IIS components during install so I have to make sure that this particular hotfix is applied. The only other case I can see where users would be affected is if they installed IIS components post-setup and then did not use Q811114 to patch, erroneously thinking that their CD had ALL the latest updates.

Secondly, you suggest the use of the /Q /U /N /Z parameters for "standard" hotfixes. In this case, the /Q makes the /U redundant. A fairly standard practice for clean installs is /Q /N /Z. If users would like to see what's going on but still have a hands-free install, substituting /U for /Q will do so. At no time should both switches be required.

I noticed that before the rollup patch was released my list of patches was 33 lines long. Using WinPE to install my OS took about 15 minutes but applying all those patches took almost as long! When I started experimenting with /U instead of /Q I noticed that for the vast majority of the time spent applying each patch the status text said something like "Creating 3rd-party driver list." After reviewing all of the drivers I was slipstreaming, I decided it was safe to use /O (for overwrite OEM files without prompting). This cut down the deployment time for each patch from as many as 90+ seconds to under 20 seconds in most cases. I do not recommend this for all users, but if you're looking to speed things along, I reduced my patching time from 15 minutes to about 3. I suspect this will significantly reduce that dreaded wait at 13 minutes remaining in a fully patch-slipstreamed install.

AaronXP, I just want to say again how much I appreciate your work. I thought I was the only one who ever got into this sorta thing and I can't believe it's taken me this long to find these forums.

As always, comments and suggestions welcome.

Link to comment
Share on other sites

Just saw this ones at critical section at windowsupdate.com, since i'm a newbie on this matter compared with AaronXP please can someone tell me if these ones are needed :)., this forum is perfect for network admins:

817606: Security Update (Windows XP) - (Posted Date: October 21, 2003)

An identified security issue in Microsoft Windows could allow an attacker to compromise a Microsoft Windows-based system and then take a variety of actions. For example, an attacker could execute code on the system. By installing this update, you can help protect your computer. After you install this item, you may have to restart your computer.

Link to comment
Share on other sites

i slipstreamed sp1a into windows disc and after installing windows @ wu site it says i need to install the vm update.....according to your suggestions you say not nesc. to download.....hmmm.....microsoft must have given me sp1 instead........just downloaded it a week ago........anyhow thanx for links to updates :)

Link to comment
Share on other sites

After reviewing all of the drivers I was slipstreaming, I decided it was safe to use /O (for overwrite OEM files without prompting). This cut down the deployment time for each patch from as many as 90+ seconds to under 20 seconds in most cases. I do not recommend this for all users, but if you're looking to speed things along, I reduced my patching time from 15 minutes to about 3. I suspect this will significantly reduce that dreaded wait at 13 minutes remaining in a fully patch-slipstreamed install.
Very nice switch Baliktad, i'm gonna try it now.

Could you tell me if this code is correct ?

echo Applying SP2 hotfixes...

for %%i in (%systemdrive%\install\hotfixes\1\*.exe) do start /wait %%i /U  /Z /N /O

Link to comment
Share on other sites

Could you tell me if this code is correct ? <snip code>
catpsion: Looks good to me. I usually use -q -o -n -z or -u -o -n -z, depending on whether I want to see what's going on or not. Order of the switches, use of a dash (-) or forward slash (/), and capitalization all have no effect so feel free to keep using what you've got.

For what it's worth, here's my current fixwinxp.cmd script I run immediately after a fresh install of Windows XP SP1. Should take care of all critical updates.

..\Q826939\WindowsXP-KB826939-x86-ENU.exe -q -o -n -z
..\Q824105\WindowsXP-KB824105-x86-ENU.exe -q -o -n -z
..\Q828026\WindowsMedia-KB828026-x86-ENU.exe -q -o -n -z
..\Q819696\Q819696_WXP_SP2_x86_ENU.exe -q -o -n -z
..\Q811114\Q811114_WXP_SP2_x86_ENU.exe -q -o -n -z
..\Q816093\msjavwu.exe /c:"javatrig.exe /exe_install /l /q" /q:a /r:n
..\Q823718\Q823718_MDAC_SecurityPatch.exe /q /c:"dahotfix.exe /q /n"
..\Q817787\WindowsMedia8-KB817787-x86-ENU.exe /q:a /r:n
..\Q828750\IE6SP1\q828750.exe /q:a /r:n
..\Q330994\q330994.exe /q:a /r:n
..\Q814078\js56nen.exe /q /r:n
..\Q828035\WindowsXP-KB828035-x86-ENU.exe -q -o -n -z
..\Q825119\WindowsXP-KB825119-x86-ENU.exe -q -o -n -z
..\Q823182\WindowsXP-KB823182-x86-ENU.exe -q -o -n -z
..\Q824141\WindowsXP-KB824141-x86-ENU.exe -q -o -n -z

REM shutdown -r -t 0

I don't really care for WMP9 or MM2 or any of those other spurious updates so this list will only fix off-the-disc components. Modify as necessary; comments and suggestions welcome.

Link to comment
Share on other sites

@baliktad: you're gonna make us all feel blind with this -o thing. Do you think this will create problems for those including OEM drivers in the installation? I'll certainly use it if it works for me.

Also, after reading your post I added all the optional components to my installation, and the 811114 update was the only one that showed up. (You knew that: I just learned it.)

Is the msjavwu.exe that you install with the javatrig.exe command line the stock msjavwu.exe, or has it been modified?

Lastly, there are a ton of people here, myself included, that would like to know more about your WinPE based installation method.

Thanks for the tips!

Link to comment
Share on other sites

i slipstreamed sp1a into windows disc and after installing windows @ wu site it says i need to install the vm update.....according to your suggestions you say not nesc. to download.....hmmm.....microsoft must have given me sp1 instead........just downloaded it a week ago........anyhow thanx for links to updates :)

If you got it last week, then its SP1a, which removes JavaVM. There was a thread I saw this week which showed how to get the full 3809 build and 3810 update put together in one package.

Link to comment
Share on other sites

Greenmachine: I include OEM drivers in my several installation scenarios and have never had a problem. This may or may not apply to everybody but as far as I can tell, hotfixes rarely replace driver files so for the most part the "third party driver search" is pretty much useless. I say go for it, but if you start experiencing problems, you'll know the first place you should look.

Also, the msjavwu.exe that I use has not been modified. I did have to download it from the Windows Update catalog I believe, but no hex editing - those are all fully supported switches.

I didn't do too much for my WinPE installation but I've described what I did in my post in the Win2k/XP install thread in the Windows PE forum (sorry, I couldn't figure out to link to a specific post).

Combining the java install into one package was also my doing: see this thread for more details. It's quite simple really.

Glad to be a part of these forums, and I'm always looking for more tips. I really do want to hear what you guys think, too. Comments and suggestions welcome.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...