Service Pack 1 for Vista *released ahead of schedule by mistake* D'oh!

fenix-store
M

mechBgon

Enlightened
Joined
Nov 3, 2007
Messages
567
Update: somebody at Microsoft pushed the big "release Service Pack 1!" button by mistake, resulting in it being available ahead of the intended schedule at Windows Update for a while. Looks like they've gone back to the planned schedule, so look for it in March or so.


For those who may have been wondering when SP1 for Vista would debut to the general public, I hear it's available now via Windows Update (I already installed it via a pre-release source). If you're a sysadmin with computers that are configured for automatic updates directly from Microsoft, and want to stall SP1 auto-installation until you've evaluated it, there's also a Service Pack Blocking Tool available at Microsoft's site.

There was a SP1-prerequisite patch in February's batch which caused looped-boot problems on some computers, but if Vista successfully patched itself with all of February's updates, then you're ready for SP1. If not, you'd probably know it by now :)

edit: as tiktok 22 notes below, this prerequisite patch is currently available only for manual installation, because they're trying to determine why it sometimes fails. But it's already installed on most peoples' Vista installations, since it was available on Automatic Updates for a couple weeks.

Tangentially, for WinXP users who'd like to play with the second release candidate of SP3 for WinXP, it's possible to get that through the Microsoft Update site after applying a small Registry patch. Being a beta, you should take the usual precautions if you decide to play with it :tinfoil: I don't see anything super-compelling there, and would wait for the final version myself.
 
Last edited:
Re: Service Pack 1 for Vista should now be available

tiktok 22 said:
Just read this about the SP1 being pulled.
Click to expand...

That's the prerequisite patch which I mentioned. If your system had a problem with it, you would know it by now, because Vista wouldn't fully boot. At my primary Forum hangout, more people use Vista than WinXP on their primary system, and I only recall two or three reporting the looped-boot problem, so it does exist, but isn't exactly epidemic.

If your system didn't have a problem with KB937287, then you probably have it installed right now, and are cleared for SP1 installation itself.

edit: I see Griffinhart reporting that the prerequisite patch, KB937287, is also available via Windows Update again.
 
Last edited:
Re: Service Pack 1 for Vista should now be available

mechBgon said:
For those who may have been wondering when SP1 for Vista would debut to the general public, I hear it's available now via Windows Update (I already installed it via a pre-release source).
Click to expand...

Thoughts and impressions? :popcorn:
 
Re: Service Pack 1 for Vista should now be available

Beamhead said:
Thoughts and impressions? :popcorn:
Click to expand...

Truth be told, I haven't noticed much on the surface... the GUI might be a little more "perky," or I might just be imagining things :tinfoil: I'm not currently doing heavy file moving/copying, locally or on the network, but that's among the claimed improvements, and I've seen some people saying they notice the speed improvements. There's a big ol' list of SP1 changes here:

http://technet2.microsoft.com/windo...f706-401e-abb5-eec42ea0a03e1033.mspx?mfr=true
 
Re: Service Pack 1 for Vista should now be available

Beamhead said:
Thoughts and impressions? :popcorn:
Click to expand...

What would happen if the computer warfare division of a foreign country hacked into the Microsoft Auto Update system and started reprogramming Microsoft's customers ?

What if they did a really nice job of it ?

What if they had inside help ?
 
Re: Service Pack 1 for Vista should now be available

NA8 said:
What would happen if the computer warfare division of a foreign country hacked into the Microsoft Auto Update system and started reprogramming Microsoft's customers ?

What if they did a really nice job of it ?

What if they had inside help ?
Click to expand...
OK then..................:whistle: :tinfoil:
 
Re: Service Pack 1 for Vista should now be available

NA8 said:
What would happen if the computer warfare division of a foreign country hacked into the Microsoft Auto Update system and started reprogramming Microsoft's customers ?

What if they did a really nice job of it ?

What if they had inside help ?
Click to expand...

Something along those lines was tried on a small scale, if I recall correctly. Let's see how good my Google skeels are... aha, here we go: http://www.microsoft.com/technet/security/Bulletin/MS01-017.mspx

In mid-March 2001, VeriSign, Inc., advised Microsoft that on January 29 and 30, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation". The ability to sign executable content using keys that purport to belong to Microsoft would clearly be advantageous to an attacker who wished to convince users to allow the content to run.

The certificates could be used to sign programs, ActiveX controls, Office macros, and other executable content. Of these, signed ActiveX controls and Office macros would pose the greatest risk, because the attack scenarios involving them would be the most straightforward. Both ActiveX controls and Word documents can be delivered via either web pages or HTML mails. ActiveX controls can be automatically invoked via script, and Word documents can be automatically opened via script unless the user has applied the Office Document Open Confirmation Tool.

Even though the certificates say they are owned by Microsoft, they are not bona fide Microsoft certificates, and content signed by them would not be trusted by default. Trust is defined on a certificate-by-certificate basis, rather than on the basis of the common name. As a result, a warning dialogue would be displayed before any of the signed content could be executed, even if the user had previously agreed to trust other certificates with the common name "Microsoft Corporation". The danger, of course, is that even a security-conscious user might agree to let the content execute, and might agree to always trust the bogus certificates.

VeriSign has revoked the certificates, and they are listed in VeriSign's current Certificate Revocation List (CRL). However, because VeriSign's code-signing certificates do not specify a CRL Distribution Point (CDP), it is not possible for any browser's CRL-checking mechanism to locate and use the VeriSign CRL. Microsoft has developed an update that rectifies this problem. The update package includes a CRL containing the two certificates, and an installable revocation handler that consults the CRL on the local machine, rather than attempting to use the CDP mechanism.

Customers should take notice of the caveats listed below in the section titled "Additional information about this patch", and in particular should note that the update will need to be re-installed when upgrading to any currently-available version of Windows or Internet Explorer. Versions of Windows beginning with Windows XP Gold and Windows 2000 Service Pack 2, and versions of Internet Explorer beginning with IE 6 will not require the update to be re-installed.

Customers who do not wish to install the update should take the following steps to protect themselves in the event that they encounter hostile code signed by one of the certificates:

Visually inspect the certificates cited in all warning dialogues. The two certificates at issue here were issued on 29 and 30 January 2001, respectively. No bona fide Microsoft certificates were issued on these dates. The FAQ and Knowledge Base article Q293817 provide complete details regarding both certificates.
Install the Outlook Email Security Update to prevent mail-borne programs from being launched, even via signed components, and install the Office Document Open Confirmation Tool to force web pages to request permission before opening Office documents.


Mitigating factors:
The certificates are not trusted by default. As a result, neither code nor ActiveX controls could be made to run without displaying a warning dialogue. By viewing the certificate in such dialogues, users can easily recognize the certificates.
The certificates are not the bona fide Microsoft code-signing certificates. Content signed by those keys can be distinguished from bona fide Microsoft content.


Vulnerability identifier: None. This issue is not the result of a flaw in a Microsoft product; it results because of an error made by a third party.
Click to expand...

If you're a dyed-in-the-wool "trust no one" guy, you might want to look up... what was it, Ken Thompson's "Reflections on Trusting Trust." Excerpt from teh Wikipedia:

Thompson's paper described a modified version of the UnixC compiler that would:
  • Put an invisible backdoor in the Unix login command when compiled, and as a twist
  • Also add this feature undetectably to future compiler versions upon their compilation as well.
Because the compiler itself was a compiled program, users would be extremely unlikely to notice the machine code instructions that performed these tasks. (Because of the second task, the compiler's source code would appear "clean".) What's worse, in Thompson's proof of concept implementation, the subverted compiler also subverted the analysis program (the disassembler), so that anyone who examined the binaries in the usual way would not actually see the real code that was running, but something else instead. This version was never released into the wild. It was released to a sibling Bell Labs organization as a test case; they never found the attack.
Click to expand...
 
Last edited:
Re: Service Pack 1 for Vista should now be available

Everyone can :hahaha::hahaha::hahaha:at Microsoft... Microsoft accidentally releases SP1 early

Someone musta missed their morning coffee :laughing: Well anyway, for those who sneaked out their SP1 a few weeks ahead of time, enjoy!
 
You must log in or register to reply here.

Similar threads

Lowglow
  • Locked
Treatment of Trump and Republicans by the media
6 7 8
Replies
145
Views
3K
raggie33
raggie33
Kestrel
Which music playlist app / service ?
Replies
2
Views
146
iacchus
iacchus
SCEMan
I'll have to stop by for a drink...
Replies
1
Views
328
orbital
orbital
V
New season of Forged in Fire
Replies
8
Views
459
vincent3685
V
IMA SOL MAN
#1 CAUSE OF BLACKOUTS
3 4 5
Replies
85
Views
6K
Monocrom
Monocrom

Latest posts

Top