Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: MS09-010 960477 KB923561 FAILED on all Servers.

4 views
Skip to first unread message

PA Bear [MS MVP]

unread,
Apr 16, 2009, 12:38:35 PM4/16/09
to
[Forwarded to Windows Server General & Security newsgroups via crosspost for
greater exposure]

See the "How to obtain help..." section of
http://support.microsoft.com/kb/960477 or
http://support.microsoft.com/kb/923561
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002

JustJeff wrote:
> Trying to install on Windows 2003 Servers SP2 up to date patches. All new
> patches install except above. Work around appears to be
>
> This tries to modify C:\Program Files\Windows NT\Accessories\mswrd8.wpc.
> This file is set to read/execute only for the "everyone" group. Because of
> this, it causes the patch to fail installation. I have tested and
> confirmed
> that changing the permissions for the file to read/write will allow the
> patch to apply. I then changed it back to read/execute.
>
> Since this will require a lot of administrative effort, I wrote a quick
> script to change the permissions on this file to RW, and then another to
> change it back to read/execute.
>
> However - Why should I need to do this? Should it not just install?

JustJeff

unread,
Apr 16, 2009, 1:58:01 PM4/16/09
to
Yes - but how does one get around the issue? This is happeneing on a
significant number of servers. MS email support is a joke.

PA Bear [MS MVP]

unread,
Apr 16, 2009, 5:56:27 PM4/16/09
to
[Jeff, if I knew why you were experiencing these failures and how you could
"get around" them, I'd tell you. Let's let some others reply to your
thread.]

Susan Bradley

unread,
Apr 16, 2009, 8:27:35 PM4/16/09
to
JustJeff wrote:
> Trying to install on Windows 2003 Servers SP2 up to date patches. All new
> patches install except above. Work around appears to be
>
> This tries to modify C:\Program Files\Windows NT\Accessories\mswrd8.wpc.
> This file is set to read/execute only for the "everyone" group. Because of
> this, it causes the patch to fail installation. I have tested and confirmed
> that changing the permissions for the file to read/write will allow the patch
> to apply. I then changed it back to read/execute.
>
> Since this will require a lot of administrative effort, I wrote a quick
> script to change the permissions on this file to RW, and then another to
> change it back to read/execute.
>
> However - Why should I need to do this? Should it not just install?
Disable the Word 6 converter by restricting access

An administrator can apply an access control list to affected converters
to ensure that the converter is no longer loaded by WordPad and Office.
This effectively prevents exploitation of the issue using this attack
vector.

Warning Undo this workaround before installing this security update.

Susan Bradley

unread,
Apr 16, 2009, 8:25:20 PM4/16/09
to
JustJeff wrote:
> Trying to install on Windows 2003 Servers SP2 up to date patches. All new
> patches install except above. Work around appears to be
>
> This tries to modify C:\Program Files\Windows NT\Accessories\mswrd8.wpc.
> This file is set to read/execute only for the "everyone" group. Because of
> this, it causes the patch to fail installation. I have tested and confirmed
> that changing the permissions for the file to read/write will allow the patch
> to apply. I then changed it back to read/execute.
>
> Since this will require a lot of administrative effort, I wrote a quick
> script to change the permissions on this file to RW, and then another to
> change it back to read/execute.
>
> However - Why should I need to do this? Should it not just install?

do you have some sort of hardening template installed? I don't have
"read/execute for the Everyone group" on mine?

Susan Bradley

unread,
Apr 16, 2009, 8:27:16 PM4/16/09
to
JustJeff wrote:
> Trying to install on Windows 2003 Servers SP2 up to date patches. All new
> patches install except above. Work around appears to be
>
> This tries to modify C:\Program Files\Windows NT\Accessories\mswrd8.wpc.
> This file is set to read/execute only for the "everyone" group. Because of
> this, it causes the patch to fail installation. I have tested and confirmed
> that changing the permissions for the file to read/write will allow the patch
> to apply. I then changed it back to read/execute.
>
> Since this will require a lot of administrative effort, I wrote a quick
> script to change the permissions on this file to RW, and then another to
> change it back to read/execute.
>
> However - Why should I need to do this? Should it not just install?
Warning Undo this workaround before installing this security update.

In order to apply the access list, run the following commands from the
command prompt. Note that some of these may result in an error message,
this is expected.

echo y| cacls "%ProgramFiles%\Windows NT\Accessories\mswrd6.wpc" /E /P
everyone:N
echo y| cacls "%ProgramFiles%\Common Files\Microsoft
Shared\TextConv\mswrd632.wpc" /E /P everyone:N

echo y| cacls "%ProgramFiles%\Common Files\Microsoft
Shared\TextConv\mswrd632.cnv" /E /P everyone:N
echo y| cacls "%ProgramFiles(x86)%\Common Files\Microsoft
Shared\TextConv\mswrd632.wpc" /E /P everyone:N
echo y| cacls "%ProgramFiles(x86)%\Common Files\Microsoft
Shared\TextConv\mswrd632.cnv" /E /P everyone:N
echo y| cacls "%ProgramFiles%\Windows NT\Accessories\mswrd664.wpc" /E /P
everyone:N
echo y| cacls "%ProgramFiles(x86)%\Windows NT\Accessories\mswrd6.wpc" /E
/P everyone:N

Impact of workaround. Upon implementing the workaround, the user will no
longer be able to convert Word 6 documents to WordPad RTF or Word 2003
documents. Microsoft Office Word will return an error saying, "The file
appears to be corrupted."

How to undo the workaround.

echo y| cacls "%ProgramFiles%\Windows NT\Accessories\mswrd6.wpc" /E /R
everyone
echo y| cacls "%ProgramFiles%\Common Files\Microsoft
Shared\TextConv\mswrd632.wpc" /E /R everyone
echo y| cacls "%ProgramFiles%\Common Files\Microsoft
Shared\TextConv\mswrd632.cnv" /E /R everyone

echo y| cacls "%ProgramFiles(x86)%\Common Files\Microsoft
Shared\TextConv\mswrd632.wpc" /E /R everyone
echo y| cacls "%ProgramFiles(x86)%\Common Files\Microsoft
Shared\TextConv\mswrd632.cnv" /E /R everyone

echo y| cacls "%ProgramFiles%\Windows NT\Accessories\mswrd664.wpc" /E /R
everyone
echo y| cacls "%ProgramFiles(x86)%\Windows NT\Accessories\mswrd6.wpc" /E
/R everyone

You did the mitigtion, you have to undo it first.

Ace Fekay [Microsoft Certified Trainer]

unread,
Apr 17, 2009, 5:20:55 PM4/17/09
to
"JustJeff" <Just...@discussions.microsoft.com> wrote in message
news:EDFEF978-7A4B-4DFB...@microsoft.com...

> Yes - but how does one get around the issue? This is happeneing on a
> significant number of servers. MS email support is a joke.

Hello Jeff,

I have not been following the whole thread, and only see the past 3 posts.
But I must say, I've actually have not seen any problems with this update,
or others. I don't see why you have to alter any permissions for any updates
to be installed onany server unless basic out of the box configuration has
been altered or a security template has been applied.

Have you made any configuration changes to your DCs and servers, such as C:
drive permission changes, disabled services (such as the required DHCP
Client service), or anything like that based on company SOP? Are you only
using your internal DNS servers for all machines' IP properties?


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
ace...@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.


Ace Fekay [Microsoft Certified Trainer]

unread,
Apr 17, 2009, 5:26:22 PM4/17/09
to
"PA Bear [MS MVP]" <PABe...@gmail.com> wrote in message
news:e7G7yAuv...@TK2MSFTNGP03.phx.gbl...

> [Jeff, if I knew why you were experiencing these failures and how you
> could "get around" them, I'd tell you. Let's let some others reply to
> your thread.]


To add, after looking into it deeper, and I don't know if this was discussed
in this thread, but it appears the following article indicates the
installation may fail if 960906 was installed prior to this installation.
MS09-010: Description of the update for Windows WordPad Converter: April 14,
2009
http://support.microsoft.com/?id=923561

And this is 960906, that indicates it changes permissions on that file:
Microsoft Security Advisory: Vulnerability in Wordpad Convertor could allow
remote code execution
http://support.microsoft.com/?id=960906

I assumed if you have numerous servers, that you read the bulletins and
articles prior to installation?

Ace

PA Bear [MS MVP]

unread,
Apr 17, 2009, 7:11:26 PM4/17/09
to
Ace Fekay [Microsoft Certified Trainer] wrote:
> "JustJeff" <Just...@discussions.microsoft.com> wrote in message
> news:EDFEF978-7A4B-4DFB...@microsoft.com...
>> Yes - but how does one get around the issue? This is happeneing on a
>> significant number of servers. MS email support is a joke.
>
> Hello Jeff,
>
> I have not been following the whole thread, and only see the past 3 posts.
> But I must say, I've actually have not seen any problems with this update,
> or others. I don't see why you have to alter any permissions for any
> updates
> to be installed onany server unless basic out of the box configuration has
> been altered or a security template has been applied.
>
> Have you made any configuration changes to your DCs and servers, such as
> C:
> drive permission changes, disabled services (such as the required DHCP
> Client service), or anything like that based on company SOP? Are you only
> using your internal DNS servers for all machines' IP properties?

> I have not been following the whole thread, and only see the past 3 posts.

That's because the newsservers are still horked and have been for the past
month or so.

Here's the entire thread as archived in Google Groups:
http://groups.google.com/group/microsoft.public.windowsupdate/browse_frm/thread/6da270a647dd3f35/3a3fab655525f3da

Right now, it's showing eight (8) posts, including your two (2). Expand the
quote in the first post (mine) to see Jeff's first post.

Ace Fekay [Microsoft Certified Trainer]

unread,
Apr 17, 2009, 7:52:46 PM4/17/09
to
"PA Bear [MS MVP]" <PABe...@gmail.com> wrote in message
news:On$VlO7vJ...@TK2MSFTNGP03.phx.gbl...

>
> That's because the newsservers are still horked and have been for the past
> month or so.
>
> Here's the entire thread as archived in Google Groups:
> http://groups.google.com/group/microsoft.public.windowsupdate/browse_frm/thread/6da270a647dd3f35/3a3fab655525f3da
>
> Right now, it's showing eight (8) posts, including your two (2). Expand
> the quote in the first post (mine) to see Jeff's first post.


Thanks, PA Bear.

I reviewed the posts and it looks like Susan provided a script to take care
of it. I also agree with her question if a security template may have been
possibly applied to the machines causing this. Other than that, I can't
think of anything else that could be causing it. I myself, have not seen
this issue on any of my servers or my customers' servers.

btw - OT, curious about your name. Where are you located? Wilkes Barre or
there abouts? I'm near Philly.

Ace

Harry Johnston [MVP]

unread,
Apr 20, 2009, 11:28:19 PM4/20/09
to
I'd guess the mitigation had already been undone on these servers, since
Everyone had RX permission. Probably someone made a mistake either when
applying the mitigation or removing it and accidentally zapped the Administrator
permissions which should have remained unchanged.

JustJeff: the correct permissions for the mswrd8.wpc file (and the other files
in the same directory) are:

BUILTIN\Users:R
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F

Harry.

0 new messages