http://www.nwfusion.com/news/2004/0819mspatch.html
By John Fontana
Network World Fusion
08/19/04
Microsoft Thursday released a fix for the Windows XP Service Pack 2
installation package it provided to corporate users of its free patch
deployment server to correct a flaw that would not allow IT to
stealthy install the service pack without end-user intervention.
The problem affected those using Microsoft's Software Update Services
(SUS), a free Windows server add-on that runs behind the corporate
firewall. SUS allows companies to create a centralized internal
staging area and schedule the distribution of patches after they are
tested and approved instead of downloading patches from Microsoft
directly to desktops.
Microsoft informed users that the deployment of XP SP2 through SUS
would be "silent" and not require any end-user intervention, but that
turned out not to be the case to the surprise and dismay of users.
"Client computers did not silently install the service pack at the
scheduled time," says Brian Doré, an administrator in the office of
information systems at the University of Louisiana at Lafayette.
"Instead they wait for a user login and prompt to start the SP2 Wizard
and [end user license agreement]. Users can also cancel the install at
this point. Obviously it was a major problem."
Doré says the university typically silently installs service packs in
the wee hours of the morning.
"Users that arrived at work the next morning were greeted with the SP2
Wizard when they logged on and were given the choice to cancel or
install. Those that canceled were not patched. Those that accepted
the install could not use their computers for up to 30 minutes while
the patch installed."
So instead of having his desktops updated, Doré was left with a
hodge-podge of patched and unpatched clients and forced to temporarily
block his SUS server from distributing SP2.
The fix was made available Thursday and SUS users will automatically
get a small update file when they synchronize SUS servers with the
Microsoft Windows Update service that provides patches, according to
Microsoft officials. Users also can execute a manual download to get
the file. The synchronization will not download the entire XP SP2
package if it has already been downloaded.
Microsoft officials said the problem was with the "install parameters"
of the XP SP2 package made available to SUS users and not with XP SP2
itself. The fix is contained in a 1M-byte file called aurtf.cab, which
contains the metadata to update the XP SP2 install package for SUS.
SUS works in conjunction with a client side mechanism called Automatic
Updates, which grabs the patches from the SUS server and installs them
on the desktop. Last week, Microsoft issued a set of tweaks for
Automatic Updates that block it for the next 120 days from
automatically downloading XP SP2 directly from Microsoft's Windows
Update service. Users had asked for more time to test the patch before
Automatic Updates kicked off on Monday.
Microsoft is expected soon to post information on the SUS issue on its
SUS Web site [1].
[1] http://www.microsoft.com/windowsserversystem/sus/default.mspx
_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable -
http://www.osvdb.org/
