Microsoft KB Archive/896993

= Detection and deployment guidance for the April 12, 2005 security release =

Article ID: 896993

Article Last Modified on 12/7/2006

-

APPLIES TO

 Microsoft Windows Server 2003, Enterprise Edition (32-bit x86) Microsoft Windows Server 2003, Datacenter Edition (32-bit x86) Microsoft Windows Server 2003, Standard Edition (32-bit x86) Microsoft Windows Server 2003, Web Edition Microsoft Windows Server 2003 Service Pack 1, when used with:  Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

 Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)</li></ul>

 Microsoft Windows Server 2003, Standard Edition (32-bit x86)</li></ul>

 Microsoft Windows Server 2003, Web Edition</li></ul> </li> Microsoft Windows XP Service Pack 1, when used with:  Microsoft Windows XP Professional</li></ul>

 Microsoft Windows XP Home Edition</li></ul> </li> Microsoft Windows XP Service Pack 2, when used with:  Microsoft Windows XP Professional</li></ul>

 Microsoft Windows XP Home Edition</li></ul> </li> Microsoft Windows 2000 Service Pack 4, when used with:  <li>Microsoft Windows 2000 Advanced Server</li></ul>

<ul> <li>Microsoft Windows 2000 Datacenter Server</li></ul>

<ul> <li>Microsoft Windows 2000 Professional Edition</li></ul>

<ul> <li>Microsoft Windows 2000 Server</li></ul> </li> <li>Microsoft Windows 2000 Service Pack 3, when used with: <ul> <li>Microsoft Windows 2000 Advanced Server</li></ul>

<ul> <li>Microsoft Windows 2000 Datacenter Server</li></ul>

<ul> <li>Microsoft Windows 2000 Professional Edition</li></ul>

<ul> <li>Microsoft Windows 2000 Server</li></ul> </li></ul>

-

<div class="notice_section">

<div class="summary_section">

SUMMARY


As part of an ongoing commitment to provide detection tools and deployment recommendations for security updates, Microsoft is delivering this detection and deployment guidance for all bulletins during a Microsoft Security Response Center (MSRC) release cycle. This guidance contains recommendations that are based on the types of scenarios that may be used in various Microsoft Windows environments. This includes the use of tools such as Windows Update, Office Update, the Microsoft Baseline Security Analyzer (MBSA), the Office Detection Tool, Microsoft Systems Management Server (SMS), the Extended Security Update Inventory Tool, and the Enterprise Update Scan Tool. This document is a monthly supplement to the following Microsoft Knowledge Base article that gives specific detection and deployment recommendations based on the April 12, 2005 security release:

894193 How to obtain and use the Enterprise Update Scan Tool

<div class="summary_section">

Environments that detect and deploy security updates by using the public Windows Update Web site and the Office Update Web site
If you use the public Windows Update Web site or the Office Update Web site to detect and to deploy security updates, you are covered for the detection and the deployment of most new releases for April 12, 2005. The exceptions are MS05-021, MS05-022, and MS05-023: <ul> <li>MS05-021: Windows Update does not update Microsoft Exchange Server. For Microsoft Exchange Server security updates, you should first scan by using the Microsoft Baseline Security Analyzer (MBSA). For more information about MBSA, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

If the output from the MBSA scan shows that security updates are missing from Exchange Server, download the appropriate security updates from the Microsoft Download Center. The Microsoft Download Center Web sites are described in the MS05-021 bulletin.</li> <li>MS05-022: Windows Update does not update MSN Messenger 6.2. MSN Messenger will eventually offer you the security update. If you want the security update earlier, you must visit the following MSN Messenger Download Web site to obtain the security update:

http://get.live.com/messenger/overview

You can use the Enterprise Update Scan Tool, also known as the EST, to scan systems that are running MSN Messenger to see if they are vulnerable. In smaller environments, the easiest method would be to scan the few computers that may require updates, verify the versions of these products, and then update the products from the Microsoft Download Center Web sites that are described in the MS05-022 bulletin. The Enterprise Update Scan Tool that is dated April 12, 2005 is available from the Microsoft Download Center.

Download the Enterprise Update Scan Tool package now.</li> <li>MS05-023: This security update is a Microsoft Word security update. You must visit the Office Update Web site to obtain this security update.</li></ul>

Environments that detect security updates by using MBSA
If you are using MBSA to detect security updates, you are covered for the detection of all new releases that are dated April 12, 2005 except MS05-022.
 * As a supplement to MBSA, you can use the Enterprise Update Scan Tool to fully detect whether you require MS05-022. The Enterprise Update Scan Tool that is dated April 12, 2005 is available from the Microsoft Download Center.

Download the Enterprise Update Scan Tool package now.
 * The Office Detection Tool that is part of MBSA will detect MS05-023. However, it will only detect this security update if you perform a local scan.

Environments that detect and deploy security updates by using Software Update Services
If you use Software Update Services (SUS) to detect and to deploy security updates, you are covered for most new releases for April 12, 2005. The exceptions are MS05-021, MS05-022 and MS05-023:
 * SUS does not detect or deploy MS05-021. To deploy MS05-021, either visit the Microsoft Download Center Web sites that are described in the bulletin, or use a more robust deployment tool such as SMS.
 * SUS does not detect or deploy MS05-022. To deploy MS05-022, either visit the Microsoft Download Center Web sites that are described in the bulletin, or use a more robust deployment tool such as SMS.
 * SUS does not detect or deploy MS05-023. To deploy MS05-023, either visit the Office Update Web site, or use a more robust deployment tool such as SMS.

Environments that detect and deploy security updates by using SMS with the Software Update Services Feature Pack
If you use SMS to detect and to deploy security updates, you are covered for all new April 12, 2005 releases. You can use the SMS Security Update Inventory Tool built on MBSA, the Office Update Scan Tool built on the Office Detection Tool, and the SMS Extended Security Update Inventory Tool built on EST. These three SMS security update scan tools combine to provide coverage of all the April 12, 2005 security releases. To obtain the new SMS Extended Security Update Inventory Tool, visit the following Microsoft Download Center Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyId=2C93DA1D-48A0-4E5C-991F-87E08954F61B&displaylang=en

Note The Extended Security Update Inventory Tool now represents a cumulative release of all previous SMS EST releases. This includes MS04-028 EST, February 2005 EST, and MS05-022. In the future, this tool will be updated to include any future detection needs. You only have to download the updated tool and then upgrade your site servers by using the latest detection logic. We recommend that you to uninstall or remove the superseded scan tools.

<div class="moreinformation_section">

The detection and deployment matrix
<div class="moreinformation_section">

FAQ for the detection and deployment guidance
What is Microsoft doing to provide me guidance on how to deploy these updates?

We recommend that system administrators join the monthly technical webcast to learn more about the April 2005 security updates. This webcast airs on April 13, 2005 at 11:00 AM Pacific Time. To register, visit the following Microsoft Web site:

http://go.microsoft.com/fwlink/?LinkId=43750

Also in April 2005, we are providing the following additional resources:
 * The Enterprise Update Scan Tool for standalone scans
 * The Extended Security Update Inventory Tool for SMS

These tools help deploy security updates. The Enterprise Update Scan Tool is a supplement to MBSA. The Extended Security Update Inventory Tool is a supplement to SMS.

Is the Enterprise Update Scan Tool cumulative like the Extended Security Update Inventory Tool is for SMS?

The Enterprise Update Scan tool is not cumulative. There are no plans to make it cumulative.

Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine whether the updates are required?

You can use MBSA to detect the following security updates that were released in April 2005:
 * MS05-016
 * MS05-017
 * MS05-018
 * MS05-019
 * MS05-020
 * MS05-021
 * MS05-023

Notes <ul> <li>For MS05-022, MBSA does not detect this security update because this security update is an MSN Messenger security update. However, we have developed the Enterprise Update Scan Tool to help determine whether the MSN Messenger security update is required. The Enterprise Update Scan Tool that is dated April 12, 2005 is available from the Microsoft Download Center.

Download the Enterprise Update Scan Tool package now.</li> <li>For MS05-023, MBSA only detects whether a security update is required for this vulnerability if you perform a local scan. You must perform a local scan because this security update is a Word security update and the Office Detection Tool part of MBSA is being used.</li> <li>For more information about the programs that MBSA currently does not detect, click the following article number to view the article in the Microsoft Knowledge Base:

306460 Microsoft Baseline Security Analyzer (MBSA) returns note messages for some updates

If you installed any one of the programs that are listed in the &quot;Affected software&quot; section of any one of the security bulletins that are listed earlier, you may have to manually determine whether you must install the required security update. For more information about MBSA, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

</li></ul>

Which bulletins require that I use the Enterprise Update Scan Tool in combination with MBSA to identify vulnerable systems on my network?

You should use the Enterprise Update Scan Tool in combination with MBSA for MS05-022.

Note The Enterprise Update Scan Tool that is dated April 12, 2005 is available from the Microsoft Download Center.

Download the Enterprise Update Scan Tool package now.

Can I use Systems Management Server (SMS) to determine whether the updates are required?

Yes. SMS can help detect and deploy these security updates. Note that SMS uses MBSA for detection. Therefore, SMS does not detect the same programs that MBSA does not detect. For more information about SMS, visit the following Microsoft Web site:

http://www.microsoft.com/smserver/default.mspx

The Security Update Inventory Tool is required to detect the required security updates for Microsoft Windows and for other affected Microsoft products. For more information about the limitations of the Security Update Inventory Tool, click the following article number to view the article in the Microsoft Knowledge Base:

306460 Microsoft Baseline Security Analyzer (MBSA) returns note messages for some updates

SMS can also use the Microsoft Office Inventory Tool to detect the required security updates for Microsoft Office programs, such as Microsoft Word.

'''I am trying to install MS05-022. Is there an additional tool to help me determine vulnerable computers?'''

Yes. As part of an ongoing commitment to provide detection capability for each bulletin release, a stand-alone detection tool has been made available that includes all affected products that are listed in this security bulletin. The stand-alone version of this tool is available from the Microsoft Download Center.

Download the stand-alone package now.

The SMS version of this tool, Extended Security Update Inventory Tool, is available from the Microsoft Download Center.

Download the Extended Security Update Inventory Tool package now.

'''I have received a hotfix from Microsoft or from my support provider since the release of MS04-004. Is that hotfix included in MS05-020?'''

Yes. When you install this security update, the installer checks to see if one or more of the files that are being updated on the computer have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update an affected file, the installer copies the files that contain the hotfix to the computer. Otherwise, the installer copies the files without the hotfix to the computer.

Why are the command-line installation switches for MS05 for Microsoft Windows 2000 and for Microsoft Windows XP operating systems different from the command-line installation switches for MS04-025?

Starting with MS04-038, the packages that you download from Windows Update for Windows 2000 and for Windows XP Service Pack 1 use Update.exe. Previous security updates did not use Update.exe. Therefore, the installation options are different from previous releases. Also, as part of the change to Update.exe, the Microsoft Knowledge Base Article number of this security update will not be displayed in the About Internet Explorer dialog box in Microsoft Internet Explorer. For more information about the command-line switches that are available for this release, see the “Security update information” section of the security bulletin. If you automatically downloaded this package as a function of the SMS SUS Feature Pack, the command-line switches are based on the SMS Installer package. These command-line switches are different from the command-line switches that you use with the version that you download from Windows Update.

Keywords: kbdeployment kbhowto kbsecurity kbinfo KB896993

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.