Critical Update issued for XP etc. but not for Vista

Vistaar

Vista Guru
The vulnerability is CVE-2019-0708, which apparently affects every version of Windows from Windows XP to Windows 7. Microsoft has released security updates for every affected version of Windows, including Windows XP and Server 2003 - unless you believe that Windows Vista SP2 and Windows Server 2008 SP2 are different versions of Windows, in which case Microsoft did NOT issue an update for Vista. However, if you are familiar with the MSFN thread Server 2008 Updates on Windows Vista, then you know that Vista can be patched against this threat if anyone so desires. Edit: Today (May 23, 2019) Microsoft updated Customer guidance for CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability to include Windows Vista at the bottom of the list. The link for 4499180 takes you to the May 2019 Security Only Quality Update for Windows Server 2008!? :shock: Furthermore, the KB article was updated yesterday (May 22), and contains this Notice: "This security update can be installed on Windows Server 2008 Service Pack 2 and on Windows Vista. " :shock: Microsoft is not just admitting that updates for Server 2008 can be installed on Vista, but is actually advising those who are still running Vista to install this one!? :shock: Caution: This update would definitely change your build number from 6.0.6002 to 6003, and personally I wouldn't install it unless my system was already fully updated to April 2019 (I did NOT mean to write "2017"). Caution: If you are using a legacy version of Avast, then you should uninstall it before updating your system because of a reported incompatibility. Update: It should then be possible to reinstall Avast/AVG products because Avast issued a micro-update.

In other news, Microsoft has issued KB4474419 for SHA-2 code signing support for Windows 6.0. Third Edition: The KB article states, "There are no prerequisites for installing this update;" however 2019 SHA-2 Code Signing Support requirement for Windows and WSUS indicates that the April 2019 Servicing stack update for Windows Server 2008 SP2 (KB4493730) would also be needed for Windows updates. The experiment in post #2 therefore cannot be regarded as conclusive (I'm not even sure if Windows Update Agent 7.6.7600.256 was present).
 
Last edited:

My Computer

System One

  • Operating System
    Vista Home Premium x86 SP2
    Manufacturer/Model
    HP Pavilion Elite m9150f
    CPU
    Intel Q6600
    Memory
    3 GB
    Graphics Card(s)
    NVIDIA GeForce 8500 GT

SIW2

Vista Guru
Gold Member
KB4474419 integrated into wim - along with the rest of my integrate list. Then ran the 4 speedups:

integrated-kb4474149-167total.JPG

It appears to prevent WU from getting any of the SHA-1 updates for Vista.
WU only offers these:

after-kb447.JPG


after-kb447-2.JPG


after-kb447-3.JPG
 
Last edited:

My Computer

System One

  • CPU
    Intel E8400
    Motherboard
    ASRock1333-GLAN R2.0
    Memory
    2gb DDR2 800
    Graphics Card(s)
    nvidia 9500GT 1gb

SIW2

Vista Guru
Gold Member
The update was installed on Vista SP2. It prevented Vista SP2 from getting updates, ( except for windows defender ) as shown in my previous post - including screenshots. It isn't build 6003.
 

My Computer

System One

  • CPU
    Intel E8400
    Motherboard
    ASRock1333-GLAN R2.0
    Memory
    2gb DDR2 800
    Graphics Card(s)
    nvidia 9500GT 1gb

SIW2

Vista Guru
Gold Member
I had formatted that partition. It was quite simple for me just now to install only that update into an image. It does indeed change the build to 6003.

The correct reponse to my earlier post that it prevents Vista from getting updates is:

Yes, and it also changes the build number.
 

My Computer

System One

  • CPU
    Intel E8400
    Motherboard
    ASRock1333-GLAN R2.0
    Memory
    2gb DDR2 800
    Graphics Card(s)
    nvidia 9500GT 1gb

SIW2

Vista Guru
Gold Member
I hadn't looked at Vista for a long while. Been tinkering with it over the last few days. I have made boot media for it as well. Couple of things still to sort out on the x64, the x86 is working fine.

Will link it for anyone that is using vista x86. You will probably want to add your own net drivers. I only added the driver I needed for testing.

vistapepic1.jpg

vistapepic2.jpg

vistapepic3.jpg
 

My Computer

System One

  • CPU
    Intel E8400
    Motherboard
    ASRock1333-GLAN R2.0
    Memory
    2gb DDR2 800
    Graphics Card(s)
    nvidia 9500GT 1gb

Vistaar

Vista Guru
Getting back to my original topic:
The vulnerability is CVE-2019-0708, which apparently affects every version of Windows from Windows XP to Windows 7. Microsoft has released security updates for every affected version of Windows, including Windows XP and Server 2003 - unless you believe that Windows Vista SP2 and Windows Server 2008 SP2 are different versions of Windows, in which case Microsoft did NOT issue an update for Vista. However, if you are familiar with the MSFN thread Server 2008 Updates on Windows Vista, then you know that Vista can be patched against this threat if anyone so desires.
Today (May 23, 2019) Microsoft updated Customer guidance for CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability to add Windows Vista at the bottom of the list. The link for 4499180 takes you to the May 2019 Security Only Quality Update for Windows Server 2008!? :shock: Furthermore, the KB article was updated yesterday (May 22), and contains this Notice: "This security update can be installed on Windows Server 2008 Service Pack 2 and on Windows Vista." :shock: Microsoft is not just admitting that updates for Server 2008 can be installed on Vista, but is actually advising those who are still running Vista to install this one!? :shock: Caution: This update definitely change your build number from 6.0.6002 to 6003, and personally I wouldn't install it unless my system was already fully updated to April 2019 (I did NOT mean to write "2017"). Warning: If you are using a legacy version of Avast, then you should uninstall it before updating your system because of a reported incompatibility. (I have edited post #1.)
 
Last edited:

My Computer

System One

  • Operating System
    Vista Home Premium x86 SP2
    Manufacturer/Model
    HP Pavilion Elite m9150f
    CPU
    Intel Q6600
    Memory
    3 GB
    Graphics Card(s)
    NVIDIA GeForce 8500 GT

townsbg

~~тσωηsвg~~
Vista Guru
Gold Member
Disabling the Terminal Services service might perhaps mitigate the vulnerability. Does anyone have any thoughts on that? It is not clear to me why Home versions of Vista would be vulnerable at all (see the Warning in this tutorial).
Depends upon the method of the hack.
 

My Computers

System One System Two

  • Operating System
    Windows 7 Pro x64
    Manufacturer/Model
    Mid 2010 iMac
    CPU
    Quad core 3.2 Ghz Intel I3
    Memory
    8 gb
    Graphics Card(s)
    ATI Radeon HD 5670 512 mb ram
    Screen Resolution
    1920x1080 and 1440x900
    Hard Drives
    1 TB
    Other Info
    N/A
  • Operating System
    Windows 2008 R2 Enterprise
    Manufacturer/Model
    Compaq Presario SR5350F
    CPU
    Pentium 2.0 gHZ Dual core E2160
    Memory
    2 gb
    Screen Resolution
    1440 x 900
    Hard Drives
    300 GB

Vistaar

Vista Guru
CVE-2019-0708 says:
Mitigations

The following mitigation may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave Remote Desktop Services disabled:

1. Disable Remote Desktop Services if they are not required.

If you no longer need these services on your system, consider disabling them as a security best practice. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities.
 

My Computer

System One

  • Operating System
    Vista Home Premium x86 SP2
    Manufacturer/Model
    HP Pavilion Elite m9150f
    CPU
    Intel Q6600
    Memory
    3 GB
    Graphics Card(s)
    NVIDIA GeForce 8500 GT

Vistaar

Vista Guru

My Computer

System One

  • Operating System
    Vista Home Premium x86 SP2
    Manufacturer/Model
    HP Pavilion Elite m9150f
    CPU
    Intel Q6600
    Memory
    3 GB
    Graphics Card(s)
    NVIDIA GeForce 8500 GT

Vistaar

Vista Guru
Today (May 23, 2019) Microsoft updated Customer guidance for CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability to add Windows Vista at the bottom of the list. The link for 4499180 takes you to the May 2019 Security Only Quality Update for Windows Server 2008!? :shock: Furthermore, the KB article was updated yesterday (May 22), and contains this Notice: "This security update can be installed on Windows Server 2008 Service Pack 2 and on Windows Vista." :shock: Microsoft is not just admitting that updates for Server 2008 can be installed on Vista, but is actually advising those who are still running Vista to install this one!? :shock: Caution: This update would probably change your build number from 6.0.6002 to 6003, and personally I wouldn't install it unless my system was already fully updated to April 2019 (I did NOT mean to write "2017"). Warning: If you are using a legacy version of Avast, then you should uninstall it before updating your system because of a reported incompatibility.
I don't know of any active forum members who are using Avast these days, but it's still very popular and there has been an unexpected development:
The company has issued micro-updates that make legacy versions of Avast and AVG compatible with Windows 6.0.6003. :)

Those of you who have no intention of installing any updates should disable the Terminal Services and Terminal Services Configuration services.
 

My Computer

System One

  • Operating System
    Vista Home Premium x86 SP2
    Manufacturer/Model
    HP Pavilion Elite m9150f
    CPU
    Intel Q6600
    Memory
    3 GB
    Graphics Card(s)
    NVIDIA GeForce 8500 GT

Volume Z

Member
It enters a new stage of useless with Build number 6.0.6003. Windows Update not receiving updates for being fully patched, update servers closed or Windows Update no longer recognizing the operating system is three different things...
 

My Computer

Vistaar

Vista Guru
The vulnerability is CVE-2019-0708...Microsoft updated Customer guidance for CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability to include Windows Vista....the KB article...contains this Notice: "This security update can be installed on Windows Server 2008 Service Pack 2 and on Windows Vista. "....Caution: This update would definitely change your build number from 6.0.6002 to 6003...
This was the first time in 2 years that Microsoft publicly urged those still running Windows Vista to install a security update (although almost every Windows Server 2008 SP2 update actually contains an extractable text file listing Windows Vista as an applicable OS). The update was not delivered to Windows Vista via Windows Update: Users interested in security would have to download and install it themselves from Microsoft Update Catalog.
 

My Computer

System One

  • Operating System
    Vista Home Premium x86 SP2
    Manufacturer/Model
    HP Pavilion Elite m9150f
    CPU
    Intel Q6600
    Memory
    3 GB
    Graphics Card(s)
    NVIDIA GeForce 8500 GT
Top