From: Gis Bun on
If i can add by 2.5 cents worth here, KB950582 should be released for Windows
XP and Server 2003 especially with the W32.Conflicker [?] or W32.Downadup
malware floating around. Additionally, this is probably also needed by
companies to comply with PCI DSS requirements.

It's not even available in the Windows Catalog.

Gis


"Joan Delgado" wrote:

> Hi Eddie
>
> this info i think is a good info:
>
> There were two separate issues involved here:
> 1) Autorun
> 2) Windows Explorer Search - RCE
>
> #1 Autorun was an advisory which affected XP / WS03 / Vista and was placed
> only on the DLC because it was an advisory.
> However, the Vista package also contained #2 (Windows Explorer Search – RCE)
> and is why it was released via WU / WSUS.
>
> If you look under the FAQ for MS08-038, you will see it also contains the
> following:
>
> Does this update contain any security-related changes to functionality?
> Yes. Besides the changes that are listed in the “Vulnerability Details”
> section of this bulletin, this security update also resolves a publicly known
> issue with Autorun functionality in Windows Vista and Windows Server 2008
> systems. The update correctly disables the right-click and double-click
> behavior controlled by the NoDriveTypeAutorun registry key. This corrects the
> issue identified in CVE-2008-0951 on Windows Vista and Windows Server 2008.
> For more information on the usage of this registry key, see the TechNet
> article, NoDriveTypeAutoRun.
>
> Hope this helps.
>
>
> --
> Joan Delgado
> blog: http://www.onlydifferent.net
>
>
> "Eddie" wrote:
>
> > Why isn't this patch "important enough" to push the 2k, 2k3 and XP patches to
> > WSUS so they are able to be deployed? We are required to push this out to an
> > ungodly amount of computers. Can nothing else be done to add these patches?
> > If not, is there a way to add it to our WSUS 3.0 server?
> >
> > "Harry Johnston [MVP]" wrote:
> >
> > > PA Bear cross-posted something Joan Delgado wrote:
> > >
> > > >> MS08-038: Vulnerability in Windows Explorer could allow remote code
> > > >> execution http://support.microsoft.com/kb/950582/en-us
> > > >>
> > > >> The customer uses WSUS to apply the updates and they ask me about this
> > > >> because this one only apply for Vista and W2k8, but they found this
> > > >> update for XP with the same KB. The problem is that WSUS don't show this
> > > >> update for XP.
> > >
> > > It looks as though the Windows XP version of the update is not considered
> > > important enough to be released via WSUS, but has received enough testing to be
> > > made available via the download center.
> > >
> > > >> We don't understand why exist an update for xp, 2k3 and 2k if the
> > > >> bulletin only apply to Vista and 2k8?
> > >
> > > As I understand it, the update corrects an issue which exists in all of these
> > > Windows versions. However, the issue only creates a security vulnerability on
> > > Vista and 2008.
> > >
> > > There is more information about the 2k/XP/2003 update in KB953252:
> > >
> > > <http://support.microsoft.com/kb/953252/>
> > >
> > > http://support.microsoft.com/kb/953252/
> > >
> > > Harry.
> > >