Microsoft KB Archive/912307

= Previously approved software updates may be unapproved if you synchronize a server that is running SUS 1.0 with SP1 after December 12, 2005 =

Article ID: 912307

Article Last Modified on 12/20/2005

-

APPLIES TO


 * Microsoft Software Update Services 1.0

-





SYMPTOMS
If you synchronize a server that is running Microsoft Software Update Services (SUS) 1.0 with Service Pack 1 (SP1) after December 12, 2005, all the previously approved software updates may be unapproved. Additionally, these updates may display a status of &quot;updated&quot; on the Approve updates page. Servers that are running SUS 1.0 with SP1 do not experience this issue if they were deployed on or after December 13, 2005.

If Automatically approve new versions of previously approved updates is selected on the Set options page, the updates display a status of &quot;updated,&quot; but the updates are not unchecked on the Approve updates page. In this scenario, you are not affected by this issue.

Potential effect
Although this issue has minimal effect in environments where all the SUS client computers have all the previously approved updates installed, client computers that have not yet downloaded previously approved updates may be vulnerable to the security issues that are addressed by those updates. These SUS client computers remain vulnerable until approvals are reset.

Vulnerable clients may include the following, among others:
 * New systems that have just been brought on line
 * Mobile systems that have been out of the environment and that have not used SUS for some time
 * Systems that have been turned off

We recommend that you use one of the methods in the &quot;Workaround&quot; section to reset approvals for your environment. If you do not use one of these methods, your environment may be at risk.



WORKAROUND
To work around this issue, use one of the following methods, depending on your situation.

Important If you are using a child SUS server in your environment, see the “Considerations for environments with child SUS servers” section.
 * Use Method 1 if a backup of the Approveditems.txt file is available.

Note Method 1 is the recommended method to work around this issue. If you have a backup of the Approveditems.txt file, we recommended that you use this method.
 * Use Method 2or Method 3if a backup of the Approveditems.txt file is unavailable.

Note Method 2 is the recommended method to work around this issue if you do not have a backup of the Approveditems.txt file.

Method 1: Restore the Approveditems.txt file
We recommend this method if a backup of the Approveditems.txt file is available.

Restore the Approveditems.txt file and return to the previous settings. To do this, follow these steps:  Stop the Software Update Services Synchronization Service. To do this, follow these steps:  Click Start, click Run, type cmd in the Open box, and then click OK. At the command prompt, type the following commands. Press ENTER after you type each command.

net stop wusyncservice

exit

  Copy your backup of the Approveditems.txt file to the following folders:   \  \Autoupdate\Dictionaries</li></ul>

Note  represents the path of the SUS virtual root. For example, the path may be Inetpub\Wwwroot.</li> Restart the Software Update Services Synchronization Service. To do this, follow these steps:  Click Start, click Run, type cmd in the Open box, and then click OK.</li> At the command prompt, type the following commands. Press ENTER after you type each command.

net start wusyncservice

Exit

</li></ol> </li> On the http://servername/SUSAdmin page, click Set options .</li> In the Select how you want to handle new versions of previously approved updates area, click Automatically approve new versions of previously approved updates.</li> Synchronize the SUS server again.</li></ol>

The updates that you previously approved appear as approved. The newest updates are available for approval.

Method 2: Use the Approval Analyzer Tool
We recommend this method if a backup of the Approveditems.txt file is unavailable.

How to download the Approval Analyzer Tool
Note An updated version of the Approval Analyzer Tool is now available. The original December 14, 2005 release of the Approval Analyzer Tool has a known issue. This issue could cause some updates that were previously not approved by the SUS administrator to be approved and possibly deployed. If you previously downloaded the December 14, 2005 release of the Approval Analyzer Tool, do not use it. Instead, download the latest version of the tool.

To download the latest version of the Approval Analyzer Tool, visit the following Microsoft Web site.

http://www.microsoft.com/downloads/details.aspx?FamilyId=8D7310F8-DE9C-4326-AA26-39D633C295FF

Note The Approval Analyzer Tool is a self-extracting executable file. The file was packaged by using IExpress. For more information about command-line switches for IExpress software update packages, click the following article number to view the article in the Microsoft Knowledge Base:

197147 Command-line switches for IExpress software update packages

Approval Analyzer Tool file information
The English version of this package has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

What occurs when you run the Approval Analyzer Tool
When you run this tool, the Approval Analyzer Tool does the following: <ul> Creates a backup of the ApprovedItems.txt file. The backup file is named &quot;ApprovedItems.txt.bup.&quot; The backup file is stored in the following location:

\autoupdate\dictionaries\

Note In this path,  is a placeholder for the path of the SUS virtual root. For example, the path may be &quot;Inetpub\Wwwroot.&quot;</li> Identifies the faulty synchronization after the new catalog is released.</li> Finds the Last Known Good approval state before this synchronization date.</li> Restores the approvals from the Last Known Good approval state to a temporary ApprovedItems.txt file.</li> Makes sure that all the approvals in the Last Known Good approval state are restored. Additionally, makes sure that all the approvals after the faulty synchronization are restored.</li> Generates a temporary ApprovedItems1.txt file that contains all the previous approvals.</li></ul>

How to use the Approval Analyzer Tool
To use the Approval Analyzer Tool to work around this issue, follow these steps:  Run the Approval Analyzer Tool. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, click Run, type cmd, and then click OK.</li> <li>At the command prompt, type net stop wusyncservice, and then press ENTER.</li> <li>At the command prompt, type the following commands, and then press ENTER after each command:

run &quot;cscript RollBackToLKGApprovals.vbs&quot;

exit

</li></ol> </li> <li>Rename the ApprovedItems1.txt file to &quot;ApprovedItems.txt,&quot; and then copy the renamed file to both of the following locations to overwrite any existing copies of ApprovedItems.txt file: <ul> <li> \</li> <li> \autoupdate\dictionaries\

Note The default location for the SUS virtual root is Inetpub\Wwwroot. To locate the SUS virtual root, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, click All Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.</li> <li>Click Web Sites.</li> <li>Right-click the Web site where SUS is installed, click Properties, and then click the Home Directory tab. Note the local path value.

Note By default, SUS is installed on the Default Web site.</li></ol> </li></ul> </li> <li>Start the Software Update Services Synchronization Service to apply the changes from the fixed ApprovedItems.txt file, and then restore the computer to its previous state. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, click Run, type cmd, and then click OK.</li> <li>At the command prompt, type the following commands, and then press ENTER after each command:

net start wusyncservice

exit

</li></ol> </li> <li>In the Approve updates area of the hard disk page, confirm that new updates from the December security release have the correct approval state.</li></ol>

Note If you experience a problem when you run the Approval Analyzer Tool, see the &quot;Steps to take if you experience a problem when you run the Approval Analyzer Tool&quot; section.

Method 3: Manually update the Approveditems.txt file
We recommend this method if you do not have a backup of the Approveditems.txt file, and you do not want to wait for an updated version of the Approval Analyzer Tool that is described in Method 2 to be made available for download.

To manually update the Approveditems.txt file, follow these steps: <ol> <li>Make a backup copy of the Inetpub\Wwwroot\Approveditems.txt file.</li> <li>Stop the Software Update Services Synchronization Service. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, click Run, type cmd in the Open box, and then click OK.</li> <li>At the command prompt, type the following commands. Press ENTER after you type each command.

net stop wusyncservice

exit

</li></ol> </li> <li>Examine the Inetpub\Wwwroot\Autoupdate\Administration\History_Approve.xml file to identify what software updates have been approved.

Make sure that you include any updates that are listed in the History _Approve.xml file that were approved before the December 13, 2005 synchronization. Also, include any update approvals that were performed after the December 13, 2005 synchronization but before this issue was discovered.</li> <li> Use Notepad or another text editor to modify the Inetpub\Wwwroot\Approveditems.txt file so that it matches the approvals in the History_Approve.xml file that were set before the December 13, 2005 synchronization.

The following is part of an example Approveditems.txt file: <pre class="fixed_text">com_microsoft.q832894_ie_server2003,<approval_value>|0@|0@|2004-03-11T01:03:16 com_microsoft.q832894_ie501_sp2,<approval_value>|0@|0@|2004-03-11T01:03:16 com_microsoft.q832894_ie501_sp3,<approval_value>|0@|0@|2004-03-11T01:03:16 com_microsoft.q832894_ie501_sp4,<approval_value>|0@|0@|2004-03-11T01:03:16 In this example, <approval_value> represents a value that signifies the approval information. The approval value appears in the text file as 0@ or 1@.

Note The following rules apply to approval information: <pre class="fixed_text">0@ = not approved 1@ = approved For example, the Approveditems.txt file may contain a section such as this: <pre class="fixed_text">com_microsoft.q832894_ie_server2003,1@|0@|0@|2004-03-11T01:03:16 com_microsoft.q832894_ie501_sp2,0@|0@|0@|2004-03-11T01:03:16 com_microsoft.q832894_ie501_sp3,1@|0@|0@|2004-03-11T01:03:16 com_microsoft.q832894_ie501_sp4,0@|0@|0@|2004-03-11T01:03:16 In this example, the com_microsoft.q832894_ie_server2003 update is approved. The com_microsoft.q832894_ie501_sp2 update is not approved. </li> <li>Save and then close the Approveditems.txt file.</li> <li>Copy the modified Approveditems.txt file from the Inetpub\Wwwroot folder to the Inetpub\Wwwroot\Autoupdate\Dictionaries folder.</li> <li>Restart the Software Update Services Synchronization Service. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, click Run, type cmd in the Open box, and then click OK.</li> <li>At the command prompt, type the following commands. Press ENTER after you type each command.

net start wusyncservice

Exit

</li></ol> </li> <li>On the http://servername/SUSAdmin page, click Set options.</li> <li>In the Select how you want to handle new versions of previously approved updates area, click Automatically approve new versions of previously approved updates.</li> <li>Synchronize the SUS server again.</li></ol>

The updates that you previously approved appear as approved.

<div class="moreinformation_section">

Considerations for environments with a child SUS server
If you are using a child SUS server and if the child SUS server is not set up to use Replace Mode, follow the steps in the “Workaround” section for the child SUS server.

If you are using a child SUS server and if the child SUS server is set up to use Replace Mode, follow the steps in the “Workaround” section for the parent SUS server, and then synchronize the child SUS server to the parent server. When you do this, the parent SUS server will copy the fixed ApprovedItems.txt file to the child SUS server.

To verify that a child SUS server is set up for Replace Mode, follow these steps:
 * 1) Open the http:// /SUSAdmin page, and then click Set Options.
 * 2) Under Select which server to synchronize content from, verify that the Synchronize list of approved items updated from this location (Replace Mode) option is selected.

Steps to take if you experience a problem when you run the Approval Analyzer Tool
The tool is not invasive and will not harm the computer.

To restore the computer to its pre-approval state after you run the tool, follow these steps: <ol> <li>Stop the Software Update Services Synchronization Service. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, click Run, type cmd in the Open box, and then click OK.</li> <li>At the command prompt, type the following commands. Press ENTER after you type each command.

net stop wusyncservice

exit

</li></ol> </li> <li>Locate the ApprovedItems.txt file. Then, rename the file ApprovedItems.txt.old.

The ApprovedItems.txt file is located in the following folders: <ul> <li> \</li> <li> \Autoupdate\Dictionaries</li></ul>

Note  represents the path of the SUS virtual root.</li> <li>Locate the ApprovedItems.txt.bup file. Rename the file ApprovedItems.txt. Then, copy the file to the folders that are listed in step 2.

The ApprovedItems.txt.bup file is located in the following folder:

\autoupdate\dictionaries\

</li> <li>Restart the Software Update Services Synchronization Service. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, click Run, type cmd in the Open box, and then click OK.</li> <li>At the command prompt, type the following commands. Press ENTER after you type each command.

net start wusyncservice

Exit

</li></ol> </li></ol>

The previously approved items are removed. These items appear as updated, as they did before you ran the Approval Analyzer Tool.

Keywords: kbtshoot kbsecurity kbexpertiseadvanced KB912307

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.