Critical Update issued for XP etc. but not for Vista

[Vistaar]

The vulnerability is CVE-2019-0708, which apparently affects every version of Windows from Windows XP to Windows 7. Microsoft has released security updates for every affected version of Windows, including Windows XP and Server 2003 - unless you believe that Windows Vista SP2 and Windows Server 2008 SP2 are different versions of Windows, in which case Microsoft did NOT issue an update for Vista. However, if you are familiar with the MSFN thread Server 2008 Updates on Windows Vista, then you know that Vista can be patched against this threat if anyone so desires. Edit: Today (May 23, 2019) Microsoft updated Customer guidance for CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability to include Windows Vista at the bottom of the list. The link for 4499180 takes you to the May 2019 Security Only Quality Update for Windows Server 2008!? Furthermore, the KB article was updated yesterday (May 22), and contains this Notice: "This security update can be installed on Windows Server 2008 Service Pack 2 and on Windows Vista. " Microsoft is not just admitting that updates for Server 2008 can be installed on Vista, but is actually advising those who are still running Vista to install this one!? Caution: This update would definitely change your build number from 6.0.6002 to 6003, and personally I wouldn't install it unless my system was already fully updated to April 2019 (I did NOT mean to write "2017"). Caution: If you are using a legacy version of Avast, then you should uninstall it before updating your system because of a reported incompatibility. Update: It should then be possible to reinstall Avast/AVG products because Avast issued a micro-update.

In other news, Microsoft has issued KB4474419 for SHA-2 code signing support for Windows 6.0. Third Edition: The KB article states, "There are no prerequisites for installing this update;" however 2019 SHA-2 Code Signing Support requirement for Windows and WSUS indicates that the April 2019 Servicing stack update for Windows Server 2008 SP2 (KB4493730) would also be needed for Windows updates. The experiment in post #2 therefore cannot be regarded as conclusive (I'm not even sure if Windows Update Agent 7.6.7600.256 was present).

 

[SIW2]

KB4474419 integrated into wim - along with the rest of my integrate list. Then ran the 4 speedups:



It appears to prevent WU from getting any of the SHA-1 updates for Vista.
WU only offers these:

 

[Volume Z]

It appears to prevent WU from getting any of the SHA-1 updates for Vista.

No, it - among others - prevents Build 6003 from getting updates for Windows Vista.

Regards, VZ

 

[SIW2]

The update was installed on Vista SP2. It prevented Vista SP2 from getting updates, ( except for windows defender ) as shown in my previous post - including screenshots. It isn't build 6003.

 

[Volume Z]

You may want to take a quick look at winver.

 

[Volume Z]

I'm sorry, but first and foremost it confirms Windows Update becomes largely useless with updates more recent than April 2019 installed.

 

[Volume Z]

Hi Vistaar,

you just can't have KB4474419 installed and the Build number not raised to 6003.

 

[Volume Z]

Windows Update has never delivered Server 2008 updates to Vista in any case, so I'm not sure what you are driving at.

I'm driving at Build number 6003 breaking Windows Update.

 

[SIW2]

I had formatted that partition. It was quite simple for me just now to install only that update into an image. It does indeed change the build to 6003.

The correct reponse to my earlier post that it prevents Vista from getting updates is:

Yes, and it also changes the build number.

 

[SIW2]

One would presumably have all the old Vista patches installed before updating to Build 6003.

Looks that way.

 

[SIW2]

I hadn't looked at Vista for a long while. Been tinkering with it over the last few days. I have made boot media for it as well. Couple of things still to sort out on the x64, the x86 is working fine.

Will link it for anyone that is using vista x86. You will probably want to add your own net drivers. I only added the driver I needed for testing.

 

[SIW2]

V86-v4.iso

To integrate your own drivers or updates into a wim file installwimsysv2.zip

 

[Vistaar]

Getting back to my original topic:

The vulnerability is CVE-2019-0708, which apparently affects every version of Windows from Windows XP to Windows 7. Microsoft has released security updates for every affected version of Windows, including Windows XP and Server 2003 - unless you believe that Windows Vista SP2 and Windows Server 2008 SP2 are different versions of Windows, in which case Microsoft did NOT issue an update for Vista. However, if you are familiar with the MSFN thread Server 2008 Updates on Windows Vista, then you know that Vista can be patched against this threat if anyone so desires.

Today (May 23, 2019) Microsoft updated Customer guidance for CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability to add Windows Vista at the bottom of the list. The link for 4499180 takes you to the May 2019 Security Only Quality Update for Windows Server 2008!? Furthermore, the KB article was updated yesterday (May 22), and contains this Notice: "This security update can be installed on Windows Server 2008 Service Pack 2 and on Windows Vista." Microsoft is not just admitting that updates for Server 2008 can be installed on Vista, but is actually advising those who are still running Vista to install this one!? Caution: This update definitely change your build number from 6.0.6002 to 6003, and personally I wouldn't install it unless my system was already fully updated to April 2019 (I did NOT mean to write "2017"). Warning: If you are using a legacy version of Avast, then you should uninstall it before updating your system because of a reported incompatibility. (I have edited post #1.)

 

[townsbg]

Disabling the Terminal Services service might perhaps mitigate the vulnerability. Does anyone have any thoughts on that? It is not clear to me why Home versions of Vista would be vulnerable at all (see the Warning in this tutorial).

Depends upon the method of the hack.

 

[Vistaar]

CVE-2019-0708 says:

Mitigations

The following mitigation may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave Remote Desktop Services disabled:

1. Disable Remote Desktop Services if they are not required.

If you no longer need these services on your system, consider disabling them as a security best practice. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities.

In the case of Windows Vista, those would be the Terminal Services and Terminal Services Configuration services.

 

[Vistaar]

The latest word from Microsoft: A Reminder to Update Your Systems to Prevent a Worm

The latest word from Woody Leonhard: Microsoft Patch Alert: Patching whack-a-mole continues

The vulnerability now has a name and a Wikipedia article: BlueKeep (security vulnerability)

 

[Volume Z]

Windows Update becomes largely useless with updates more recent than April 2019 installed.

I am not going to sign up at msfn.org just to notify them.

Server 2008 Updates on Windows Vista

msfn.org

 

[Volume Z]

It enters a new stage of useless with Build number 6.0.6003. Windows Update not receiving updates for being fully patched, update servers closed or Windows Update no longer recognizing the operating system is three different things...

 

[Vistaar]

The vulnerability is CVE-2019-0708...Microsoft updated Customer guidance for CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability to include Windows Vista....the KB article...contains this Notice: "This security update can be installed on Windows Server 2008 Service Pack 2 and on Windows Vista. "....Caution: This update would definitely change your build number from 6.0.6002 to 6003...

This was the first time in 2 years that Microsoft publicly urged those still running Windows Vista to install a security update (although almost every Windows Server 2008 SP2 update actually contains an extractable text file listing Windows Vista as an applicable OS). The update was not delivered to Windows Vista via Windows Update: Users interested in security would have to download and install it themselves from Microsoft Update Catalog.

 

[Volume Z]

Correct, and note how MS did not care to release a version that's really Vista compatible, i.e. not manipulating build numbers.