[WinPartners] Fwd: Re: new security update (Case 609930)

Stephen Dowdy sdowdy at MIT.EDU
Tue Jun 22 07:22:51 EDT 2004 

FYI...  response about an old security patch showing up for my home machine.


>X-Sieve: CMU Sieve 2.2
>Date: Mon, 21 Jun 2004 22:54:07 -0400 (EDT)
>From: security at MIT.EDU (MIT Network Security team)
>To: sdowdy at MIT.EDU
>Cc: security at MIT.EDU
>Subject: Re: new security update (Case 609930)
>X-Reply: new
>X-Cc: new
>X-Spam-Score: -4.9
>X-Spam-Flag: NO
>X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang)
>
> >I got home today, and my Windows update is telling me of a critical patch
> >that needs to be installed... specifically:
> >
> >        Security update Februrary 13, 2002 (MSXML 4.0)
>
>In general, your system can begin to require a patch from long ago
>whenever you install any piece of Microsoft software.
>
>For example, suppose that yesterday you did not have MSXML 4.0
>installed. In other words, MSXML4.DLL did not exist on the system. If
>you checked for critical updates, an MSXML 4.0 critical update would
>not be offered, because the update applies to software that was not
>installed.
>
>Then, conceivably you may have done something that triggered an
>installation of MSXML 4.0. Depending on your system configuration,
>this may have occurred more-or-less silently. There are most likely
>scenarios in which visiting a Microsoft web page (perhaps even one of
>the Windows Update pages) will trigger an installation of MSXML 4.0.
>Various third-party software requires MSXML 4.0 and may "helpfully"
>install it for you. A third party could design a web page using
>ActiveX controls that trigger an installation of MSXML 4.0 upon
>visiting the web page. In each of these cases, your system would then
>have the additional file MSXML4.DLL.
>
>Another possibility is that you previously had MSXML4.DLL, and it was
>up-to-date with patches, but then you installed something that
>downgraded MSXML4.DLL to an unpatched state. For example, a poorly
>designed third-party installer could conceivably replace a newer
>version of MSXML4.DLL with an older version of MSXML4.DLL.
>
>Once an unpatched version of MSXML4.DLL exists on the system, any
>subsequent visit to Windows Update should result in an offer to
>install a patched version of MSXML4.DLL, as described in
>http://www.microsoft.com/technet/security/bulletin/MS02-008.mspx. Even
>if you installed an MSXML update in 2002, the update may have patched
>only MSXML2.DLL and/or MSXML3.DLL.
>
>--
>[ We prefer e-mail to security at mit.edu, which reaches all members of
>the team. Please use e-mail communication if at all possible.
>Otherwise, please refer to the names of the Network Security team
>leaders at the top of http://web.mit.edu/net-security/www/team.html ]

More information about the winpartners mailing list