MS09-010 960477 KB923561 FAILED on all Servers.

Trying to install on Windows 2003 Servers SP2 up to date patches. All new
patches install except above. Work around appears to be

This tries to modify C:\Program Files\Windows NT\Accessories\mswrd8.wpc.
This file is set to read/execute only for the "everyone" group. Because of
this, it causes the patch to fail installation. I have tested and confirmed
that changing the permissions for the file to read/write will allow the patch
to apply. I then changed it back to read/execute.

Since this will require a lot of administrative effort, I wrote a quick
script to change the permissions on this file to RW, and then another to
change it back to read/execute.

However - Why should I need to do this? Should it not just install?

[Forwarded to Windows Server General & Security newsgroups via crosspost for
greater exposure]

See the "How to obtain help..." section of
http://support.microsoft.com/kb/960477 or
http://support.microsoft.com/kb/923561
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002

JustJeff wrote:
> Trying to install on Windows 2003 Servers SP2 up to date patches. All new
> patches install except above. Work around appears to be
>
> This tries to modify C:\Program Files\Windows NT\Accessories\mswrd8.wpc.
> This file is set to read/execute only for the "everyone" group. Because of
> this, it causes the patch to fail installation. I have tested and
> confirmed
> that changing the permissions for the file to read/write will allow the
> patch to apply. I then changed it back to read/execute.
>
> Since this will require a lot of administrative effort, I wrote a quick
> script to change the permissions on this file to RW, and then another to
> change it back to read/execute.
>
> However - Why should I need to do this? Should it not just install?

Yes - but how does one get around the issue? This is happeneing on a
significant number of servers. MS email support is a joke.

"PA Bear [MS MVP]" wrote:

> [Forwarded to Windows Server General & Security newsgroups via crosspost for
> greater exposure]
>
> See the "How to obtain help..." section of
> http://support.microsoft.com/kb/960477 or
> http://support.microsoft.com/kb/923561
> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Client - since 2002
>
> JustJeff wrote:
> > Trying to install on Windows 2003 Servers SP2 up to date patches. All new
> > patches install except above. Work around appears to be
> >
> > This tries to modify C:\Program Files\Windows NT\Accessories\mswrd8.wpc.
> > This file is set to read/execute only for the "everyone" group. Because of
> > this, it causes the patch to fail installation. I have tested and
> > confirmed
> > that changing the permissions for the file to read/write will allow the
> > patch to apply. I then changed it back to read/execute.
> >
> > Since this will require a lot of administrative effort, I wrote a quick
> > script to change the permissions on this file to RW, and then another to
> > change it back to read/execute.
> >
> > However - Why should I need to do this? Should it not just install?
>
>

[Jeff, if I knew why you were experiencing these failures and how you could
"get around" them, I'd tell you. Let's let some others reply to your
thread.]

JustJeff wrote:
> Yes - but how does one get around the issue? This is happeneing on a
> significant number of servers. MS email support is a joke.
>
> "PA Bear [MS MVP]" wrote:
>
>> [Forwarded to Windows Server General & Security newsgroups via crosspost
>> for greater exposure]
>>
>> See the "How to obtain help..." section of
>> http://support.microsoft.com/kb/960477 or
>> http://support.microsoft.com/kb/923561
>> --
>> ~Robear Dyer (PA Bear)
>> MS MVP-IE, Mail, Security, Windows Client - since 2002
>>
>> JustJeff wrote:
>>> Trying to install on Windows 2003 Servers SP2 up to date patches. All
>>> new
>>> patches install except above. Work around appears to be
>>>
>>> This tries to modify C:\Program Files\Windows NT\Accessories\mswrd8.wpc.
>>> This file is set to read/execute only for the "everyone" group. Because
>>> of
>>> this, it causes the patch to fail installation. I have tested and
>>> confirmed
>>> that changing the permissions for the file to read/write will allow the
>>> patch to apply. I then changed it back to read/execute.
>>>
>>> Since this will require a lot of administrative effort, I wrote a quick
>>> script to change the permissions on this file to RW, and then another to
>>> change it back to read/execute.
>>>
>>> However - Why should I need to do this? Should it not just install?

JustJeff wrote:
> Trying to install on Windows 2003 Servers SP2 up to date patches. All new
> patches install except above. Work around appears to be
>
> This tries to modify C:\Program Files\Windows NT\Accessories\mswrd8.wpc.
> This file is set to read/execute only for the "everyone" group. Because of
> this, it causes the patch to fail installation. I have tested and confirmed
> that changing the permissions for the file to read/write will allow the patch
> to apply. I then changed it back to read/execute.
>
> Since this will require a lot of administrative effort, I wrote a quick
> script to change the permissions on this file to RW, and then another to
> change it back to read/execute.
>
> However - Why should I need to do this? Should it not just install?

do you have some sort of hardening template installed? I don't have
"read/execute for the Everyone group" on mine?

JustJeff wrote:
> Trying to install on Windows 2003 Servers SP2 up to date patches. All new
> patches install except above. Work around appears to be
>
> This tries to modify C:\Program Files\Windows NT\Accessories\mswrd8.wpc.
> This file is set to read/execute only for the "everyone" group. Because of
> this, it causes the patch to fail installation. I have tested and confirmed
> that changing the permissions for the file to read/write will allow the patch
> to apply. I then changed it back to read/execute.
>
> Since this will require a lot of administrative effort, I wrote a quick
> script to change the permissions on this file to RW, and then another to
> change it back to read/execute.
>
> However - Why should I need to do this? Should it not just install?
Warning Undo this workaround before installing this security update.

In order to apply the access list, run the following commands from the
command prompt. Note that some of these may result in an error message,
this is expected.

echo y| cacls "%ProgramFiles%\Windows NT\Accessories\mswrd6.wpc" /E /P
everyone:N
echo y| cacls "%ProgramFiles%\Common Files\Microsoft
Shared\TextConv\mswrd632.wpc" /E /P everyone:N

echo y| cacls "%ProgramFiles%\Common Files\Microsoft
Shared\TextConv\mswrd632.cnv" /E /P everyone:N
echo y| cacls "%ProgramFiles(x86)%\Common Files\Microsoft
Shared\TextConv\mswrd632.wpc" /E /P everyone:N
echo y| cacls "%ProgramFiles(x86)%\Common Files\Microsoft
Shared\TextConv\mswrd632.cnv" /E /P everyone:N
echo y| cacls "%ProgramFiles%\Windows NT\Accessories\mswrd664.wpc" /E /P
everyone:N
echo y| cacls "%ProgramFiles(x86)%\Windows NT\Accessories\mswrd6.wpc" /E
/P everyone:N

Impact of workaround. Upon implementing the workaround, the user will no
longer be able to convert Word 6 documents to WordPad RTF or Word 2003
documents. Microsoft Office Word will return an error saying, "The file
appears to be corrupted."

How to undo the workaround.

echo y| cacls "%ProgramFiles%\Windows NT\Accessories\mswrd6.wpc" /E /R
everyone
echo y| cacls "%ProgramFiles%\Common Files\Microsoft
Shared\TextConv\mswrd632.wpc" /E /R everyone
echo y| cacls "%ProgramFiles%\Common Files\Microsoft
Shared\TextConv\mswrd632.cnv" /E /R everyone

echo y| cacls "%ProgramFiles(x86)%\Common Files\Microsoft
Shared\TextConv\mswrd632.wpc" /E /R everyone
echo y| cacls "%ProgramFiles(x86)%\Common Files\Microsoft
Shared\TextConv\mswrd632.cnv" /E /R everyone

echo y| cacls "%ProgramFiles%\Windows NT\Accessories\mswrd664.wpc" /E /R
everyone
echo y| cacls "%ProgramFiles(x86)%\Windows NT\Accessories\mswrd6.wpc" /E
/R everyone



You did the mitigtion, you have to undo it first.

JustJeff wrote:
> Trying to install on Windows 2003 Servers SP2 up to date patches. All new
> patches install except above. Work around appears to be
>
> This tries to modify C:\Program Files\Windows NT\Accessories\mswrd8.wpc.
> This file is set to read/execute only for the "everyone" group. Because of
> this, it causes the patch to fail installation. I have tested and confirmed
> that changing the permissions for the file to read/write will allow the patch
> to apply. I then changed it back to read/execute.
>
> Since this will require a lot of administrative effort, I wrote a quick
> script to change the permissions on this file to RW, and then another to
> change it back to read/execute.
>
> However - Why should I need to do this? Should it not just install?
Disable the Word 6 converter by restricting access

An administrator can apply an access control list to affected converters
to ensure that the converter is no longer loaded by WordPad and Office.
This effectively prevents exploitation of the issue using this attack
vector.

Warning Undo this workaround before installing this security update.

"JustJeff" <JustJeff@discussions.microsoft.com> wrote in message
news:EDFEF978-7A4B-4DFB-8FD5-560FC323476A@microsoft.com...
> Yes - but how does one get around the issue? This is happeneing on a
> significant number of servers. MS email support is a joke.

Hello Jeff,

I have not been following the whole thread, and only see the past 3 posts.
But I must say, I've actually have not seen any problems with this update,
or others. I don't see why you have to alter any permissions for any updates
to be installed onany server unless basic out of the box configuration has
been altered or a security template has been applied.

Have you made any configuration changes to your DCs and servers, such as C:
drive permission changes, disabled services (such as the required DHCP
Client service), or anything like that based on company SOP? Are you only
using your internal DNS servers for all machines' IP properties?


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
news:e7G7yAuvJHA.1492@TK2MSFTNGP03.phx.gbl...
> [Jeff, if I knew why you were experiencing these failures and how you
> could "get around" them, I'd tell you. Let's let some others reply to
> your thread.]


To add, after looking into it deeper, and I don't know if this was discussed
in this thread, but it appears the following article indicates the
installation may fail if 960906 was installed prior to this installation.
MS09-010: Description of the update for Windows WordPad Converter: April 14,
2009
http://support.microsoft.com/?id=923561

And this is 960906, that indicates it changes permissions on that file:
Microsoft Security Advisory: Vulnerability in Wordpad Convertor could allow
remote code execution
http://support.microsoft.com/?id=960906

I assumed if you have numerous servers, that you read the bulletins and
articles prior to installation?

Ace

Ace Fekay [Microsoft Certified Trainer] wrote:
> "JustJeff" <JustJeff@discussions.microsoft.com> wrote in message
> news:EDFEF978-7A4B-4DFB-8FD5-560FC323476A@microsoft.com...
>> Yes - but how does one get around the issue? This is happeneing on a
>> significant number of servers. MS email support is a joke.
>
> Hello Jeff,
>
> I have not been following the whole thread, and only see the past 3 posts.
> But I must say, I've actually have not seen any problems with this update,
> or others. I don't see why you have to alter any permissions for any
> updates
> to be installed onany server unless basic out of the box configuration has
> been altered or a security template has been applied.
>
> Have you made any configuration changes to your DCs and servers, such as
> C:
> drive permission changes, disabled services (such as the required DHCP
> Client service), or anything like that based on company SOP? Are you only
> using your internal DNS servers for all machines' IP properties?

> I have not been following the whole thread, and only see the past 3 posts.

That's because the newsservers are still horked and have been for the past
month or so.

Here's the entire thread as archived in Google Groups:
http://groups.google.com/group/micro...3fab655525f3da

Right now, it's showing eight (8) posts, including your two (2). Expand the
quote in the first post (mine) to see Jeff's first post.