Jump to content
CCleaner Community Forums
hazelnut

Emergency update for XP from Microsoft

Recommended Posts

damn, you have to love stats and how they can be reported with huge bias.

 

that link login123 provided to Kaspersky states Windows 10 was the 3rd most effected OS, and although that is true, the supplied figures show it was 10th in the list, and at a whopping 0.03%.

that could even be discarded as a simple statistical anomaly.

but hey, never let the facts get in the way of a good story. :rolleyes:

Share this post


Link to post
Share on other sites

Yeah, tend to agree with you there MTA. Love those stats, all they do is actually take away from what they are saying, and to be honest none of it is really surprising.

 

Like you point out windows 10 was 10th on the list but 3rd most affected perhaps it's because they broke it down a bit too much, I mean win7 32 & 64 & home 64 & win 7 home 32 are all simply win 7 (and was win 7 home 32/64 infection stats included or excluded from the other win 7 ones ??) but if they didn't break it down so much they would have only had 3 os/s in that list, Win 7, R2 2008 Server, and Win 10 (well excluding Win 10 32 bit), so yeah still 3rd.  While XP, Vista & win 8/8.x don't even appear on the list.

 

Seems to me it's kind of obvious win 7 was the worst hit, since it's got the largest usage share, and you can run it for years without updating it. Isn't it a no brainer that it would be the worst hit.  It was interesting that XP would give an error as opposed to be exploited though, and It's good that MS just patched the vulnerability regardless of support status.

 

But ultimately if one is looking to blame, you couldn't have blamed XP anyway, IMO only the NSA could be blamed, they found it and sat on it for however long (years would be my guess) and didn't report it to MS until they knew it had been "released", and that's assuming they actually did bother to report it to MS, since it isn't confirmed that they did. (oh and sure you can blame the people that made the exploit too but, I tend to think they couldn't have done it without the NSA's inadvertent help).

Share this post


Link to post
Share on other sites

Andavari and other xp users, if I may ask, do you have a file in C:\ on your xp computer called tapicust.dll

 

When I ran that second fix from post 28 it installed that file.  No restart required. 

If that is an old security update, then the file should be on most xp computers. 

It is gone from here as I had Powershadow running when I installed it. 

Share this post


Link to post
Share on other sites

Nirsoft SearchMyFiles didn't find it anywhere on my system, so no the physical file doesn't exist on my system.

 

I did however restart after that supposed "needed update", even though it never prompted to do so.

 

RegEdit however found it listed in the registry with this information - notice the build date that it lists (June 14, 2010):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB982316]
"Description"="Security Update for Windows XP (KB982316)"
"InstalledDate"="5/23/2017"
"InstalledBy"="YourUserNameWillBeHere"
"Type"="Update"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB982316\Filelist]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB982316\Filelist\0]
"FileName"="tapicust.dll"
"Version"="5.1.2600.5996"
"BuildDate"="Mon Jun 14 04:06:12 2010"
"BuildCheckSum"="13f91"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB982316\Filelist\1]
"FileName"="tapicust.dll"
"Version"="5.1.2600.5996"
"BuildDate"="Mon Jun 14 04:06:12 2010"
"BuildCheckSum"="13f91"
Edited by Andavari

Share this post


Link to post
Share on other sites

Also I didn't find it inside my Macrium Reflect disk image I had made on the same day hours before installing that update. I looked in the usual places:

C:\Windows

C:\WINDOWS\Driver Cache\i386

C:\Windows\System

C:\Windows\System32

 

I noticed that file also doesn't exist inside of the sp3.cab located at:

C:\WINDOWS\Driver Cache\i386\sp3.cab

Share this post


Link to post
Share on other sites

Thank you.  

Those reg entries don't exist on this machine at this time. 

Didn't check before restart.  The restart that would have removed them. 

 

After the installation of fix #2, but before restart, tapicust.dll was present at:

C:\WINDOWS\$hf_mig$\KB982316\tapicust.dll
C:\WINDOWS\$hf_mig$\KB982316\update\tapicust.dll
C:\WINDOWS\$NtUninstallKB982316$\spuninst\tapicust.dll

Your reg entries show the date of Hazelnut's post, "InstalledDate"="5/23/2017". 

I wonder why the dll is not present on your system since you did install the update? 

Also, if it was a 2010 update, why isn't it on this machine? 

 

Probably there is a good explanation that everybody else already knows.  :huh:

In any case, I guess I better reinstall that update permanently.

 

Thing is, lately I don't trust microsoft much. 

Share this post


Link to post
Share on other sites
C:\WINDOWS\$hf_mig$\KB982316\tapicust.dll
C:\WINDOWS\$hf_mig$\KB982316\update\tapicust.dll
C:\WINDOWS\$NtUninstallKB982316$\spuninst\tapicust.dll

Your reg entries show the date of Hazelnut's post, "InstalledDate"="5/23/2017". 

I wonder why the dll is not present on your system since you did install the update?

 

I did install it again, but it was done in about 1 second as if it skipped the update since it was already installed all those years ago.

 

Also the reason that dll isn't present on my system is because my batch file cleaner has code in it to delete $hf_mig$ and those $NtUninstallKB* folders - being as XP was never intended to get any more updates from Microsoft.

Share this post


Link to post
Share on other sites

OK, thanks, I understand. 

Still seems like the dll itself should be somewhere in your windows.  ??

I'm going to install that update permanently. 

Will report back if that dll winds up somewhere in windows. 

Will be a day or two. 

Share this post


Link to post
Share on other sites

If the only place you're finding it on your system is in the folders for $hf_mig$ and $NtUninstallKB982316$, that's why it wouldn't be on mine since my batch cleaner automatically removes those folders.

That first update they released to protect against that ransomware virus was the one I tracked the installation of, being that it was new and I was waiting for a new update to screw something up just like in years past with so many botched updates. I however didn't bother tracking the installation of that old re-released update since it was already installed.

Share this post


Link to post
Share on other sites

Microsoft have released 3 more updates for  XP  this month apparently to protect against 'EnglishmanDentist, EsteemAudit, and ExplodingCan'

 

 https://support.microsoft.com/en-us/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms

 

More info here

http://www.computerworld.com/article/3200765/windows-pcs/theres-a-reason-microsoft-is-patching-windows-xp-again-this-month.html

Share this post


Link to post
Share on other sites

 

That article states "you can get them through Windows Updates", although they weren't listed as available on my XP system, and Automatic Updates doesn't list them either.

 

And like Trium stated what 3 updates? That Microsoft page is confusing the way they have it layed out which was why I instead tried to get them via Windows Updates ("Microsoft Updates") and Automatic Updates but as I mentioned they weren't available.

Share this post


Link to post
Share on other sites

Did some digging:

 

 

KB958644 is an old one they're supposedly re-releasing but why? It's dated 10/22/2008 (22 October 2008):
I don't need it as it's already installed when I did a search with RegEdit, it's for netapi32.dll located in C:\Windows\System32:
https://www.microsoft.com/en-us/download/details.aspx?id=3205


KB2347290 results into a broken error page - but it's for an old 2010 or 2011 patch for the print spooler:
http://www.catalog.update.microsoft.com/Search.aspx?q=KB2347290%20windows%20xp


KB4012598 is new as of 5/15/2017 (15 May 2017):
When I checked it is NOT available via Automatic Updates / Microsoft Updates / Windows Updates:
https://www.microsoft.com/en-us/download/details.aspx?id=55245


KB4012583 is new as of 6/13/2017 (14 June 2017):
When I checked it is NOT available via Automatic Updates / Microsoft Updates / Windows Updates:
https://www.microsoft.com/en-us/download/details.aspx?id=55460

I wonder whey they're re-releasing very old patches like the last one which was a telephony patch that any XP system would already have applied because it was when they supported the OS with updates. The old re-releases doesn't help but instead makes it confusing.

Share this post


Link to post
Share on other sites

...so i have downloaded and installed all updates for xp sp3 because nothing of this were available with manually windows update or online on the windows update site especially for xp and i have yet nothing of this updates on my xp.

 

older platforms 1 of 3

 

WindowsXP-KB958644-x86-DEU.exe
Veröffentlichungsdatum:22.10.2008
File Size:641 KB

KB-Artikel: KB958644

Sicherheitsbulletins:MS08-067

Server service can allow remote code execution
When an affected system receives a specially crafted RPC request

On systems running Microsoft Windows 2000, Windows XP, and Windows Server 2003

 

______________________________________

Sicherheitsupdate für Windows XP (KB2347290)
Letzte Änderung: 13.09.2010
Größe: 511 KB


MSRC-Nummer: MS10-061
MSRC-Sicherheit: Critical
KB-Artikelnummern: 2347290
Weitere Informationen:
http://go.microsoft.com/fwlink/?LinkId=200505
Support-URL:
http://support.microsoft.com



Printer queue service can allow remote code execution
When an attacker sends a specially crafted print request


Mitigating Factors
- On any of the currently supported Windows operating systems, printers are shared by default.
- Systems are only vulnerable to remote access when a printer is shared and the remote accesser can access the printer share.
- By using best practices for the firewall and standardized firewall configurations, networks can be protected from remote attacks from outside the organization. A proven method is to open a minimal number of ports for systems that are connected to the Internet.


Block the ports used for RPC on the firewall
- The UDP ports 135, 137, 138, and 445, as well as the TCP ports 135, 139, 445, and 593.
- The unwanted incoming traffic with ports> 1024.
- All other specially configured RPC ports.

Multiple Windows services use the affected ports. By blocking the connection to the ports, different applications or services may stop working. Some of the potentially affected applications and services are listed below
- Applications using SMB (CIFS)
- Applications that use maillots or named pipes (RPC over SMB)
- Server (file and printer sharing)
- group Policy
- registration service
- Distributed File System (DFS)
- Terminal Server licensing
- print queue
- computer browser
- Remote Procedure Call Locator
- Fax service
- Indexing service
- Performance logs and warning messages
- Systems Management Server
- License Logging

 

____________________________________

WindowsXP-KB4012583-x86-Custom-DEU.exe
Veröffentlichungsdatum:13.06.2017
File Size:1.5 MB

KB-Artikel: KB4012583

Sicherheitsbulletins:MS17-013


Microsoft graphics component
In Microsoft Windows, Microsoft Office, Skype for Business, Microsoft Lync, and Microsoft Silverlight
When a user visits a specially designed website or opens a specially designed document. This may have less impact for users with fewer system privileges than for users who work with administrative rights

 

____________________________________
WindowsXP-KB4012598-x86-Custom-DEU.exe
Veröffentlichungsdatum:15.05.2017
File Size:673 KB

KB-Artikel: KB4012598

Sicherheitsbulletins:MS17-010


Microsoft Windows SMB Server
When an attacker sends a series of specially designed messages to a affected Windows SMBv1 server

Share this post


Link to post
Share on other sites

older platforms table 2 of 3

 

WindowsXP-KB3197835-x86-Custom-DEU.exe                              ->          CVE-2017-7269 [EXPLODINGCAN]
Veröffentlichungsdatum:13.06.2017
File Size:613 KB

KB-Artikel: KB3197835

Sicherheitsbulletins:MS16-143


WebDAV remote code execution
exists in IIS when WebDAV improperly handles objects in memory

 

 

______________________________________

Kumulatives Sicherheitsupdate für Internet Explorer 8 unter Windows XP SP3 (KB4018271)

IE8-WindowsXP-KB4018271-x86-Custom-DEU.exe
Veröffentlichungsdatum:13.06.2017
File Size:10.5 MB

KB-Artikel: KB4018271


when Internet Explorer improperly accesses objects in memory

 

 

____________________________________

WindowsXP-KB4018466-x86-Custom-DEU.exe
Veröffentlichungsdatum:13.06.2017
File Size:673 KB

KB-Artikel: KB4018466


Windows SMB Information Disclosure
that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests

 

 

____________________________________

WindowsXP-KB4022747-x86-Custom-DEU.exe                             ->           CVE-2017-0176 [ESTEEMAUDIT]
Veröffentlichungsdatum:13.06.2017
File Size:551 KB
                 
KB-Artikel: KB4022747

in Remote Desktop Protocol (RDP) if the RDP server has Smart Card authentication enabled

 

 

____________________________________

WindowsXP-KB4024323-x86-Custom-DEU.exe
Veröffentlichungsdatum:13.06.2017
File Size:855 KB

KB-Artikel: KB4024323


Windows RPC remote code execution
exists in RPC if the server has Routing and Remote Access enabled

Share this post


Link to post
Share on other sites

older platforms table 3 of 3

 

WindowsXP-KB4019204-x86-Custom-DEU.exe
Veröffentlichungsdatum:13.06.2017
File Size:1.4 MB

KB-Artikel: KB4019204

Win32k Elevation of Privilege
when the Windows kernel-mode driver fails to properly handle objects in memory

 

 

____________________________________

WindowsXP-KB4024402-x86-Custom-DEU.exe
Veröffentlichungsdatum:13.06.2017
File Size:1.0 MB

KB-Artikel: KB4024402

 

 

____________________________________

WindowsXP-KB4025218-x86-Custom-DEU.exe                             ->           CVE-2017-8487 [ENGLISHMANSDENTIST]
Veröffentlichungsdatum:13.06.2017
File Size:526 KB

KB-Artikel: KB4025218

olecnv32.dll remote code execution

Share this post


Link to post
Share on other sites

The only 3 that  I will be installing are the ones I linked to in post #45 of this thread.

 

KB4022747

KB3197835

KB4012583

 

You can download and install them from the Microsoft Update Catalogue.

 

 

EDIT..

Actually here is a much better list of the XP updates

 

https://www.bleepingcomputer.com/news/microsoft/microsoft-issues-windows-xp-security-updates-for-previously-ignored-nsa-hacking-tools/

Share this post


Link to post
Share on other sites

That KB4012598 is to protect against WannaCrypt ransomware yet the resulting download page unlike the original when it was first released doesn't even mention it's to protect against WannaCrypt.

 

Microsoft is making things unnecessarily confusing in my opinion, that WannaCrypt patch has matching SHA-256 hashes but they've changed the filename:

Original: KB4012598-x86-WindowsXPSP3.exe

Now: WindowsXP-KB4012598-x86-Custom-ENU.exe

 

 

That explains why it wouldn't install again on my system, when I ran the new installer name without realizing it was the same patch for WannaCrypt it finished in about 1 second - doing nothing.

Edited by Andavari

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...