Downloading XP security patches question

I'm going to visit Dad for Christmas. Dad only has 28.8K dialup and he is way behind on his XP security updates including Service Pack 3. I have downloaded the standalone install version of Service Pack 3 and wish to do the same for all the hotfixes since. In the same page where I downloaded SP3, I see a couple of security patch updates but gosh I know there have been several since the release of SP3 including the IE7 vulnerability just a couple of days ago. Is there away to identify all the security patches since SP3 release and download them all as standalone installs? I would like to try to do so and then install them upon my visit.

I'll look around for a list. - here's some. (I found the site but havn't checked the links.)

Be aware SP# may cause an issue you have to fix (with some PC's) LINKY

I had it happen on a couple PCs.

geepondy said:

I'm going to visit Dad for Christmas. Dad only has 28.8K dialup and he is way behind on his XP security updates including Service Pack 3. I have downloaded the standalone install version of Service Pack 3 and wish to do the same for all the hotfixes since. In the same page where I downloaded SP3, I see a couple of security patch updates but gosh I know there have been several since the release of SP3 including the IE7 vulnerability just a couple of days ago. Is there away to identify all the security patches since SP3 release and download them all as standalone installs? I would like to try to do so and then install them upon my visit.

Click to expand...

The exact patches he'll need can vary depending on what-all he has installed. For example, if he has any Office or Works software, including the free viewers, he may need Office patches. If he has .NET of any version, he may need patches for that.

One simple way to find out, is to have him run the Microsoft Baseline Security Analyzer. On 28.8k, this will take a while to fetch the current database before it can check his system, so he'd still need to let it do its thing for a few hours.

When complete, it would give a result like the larger pic below. Clicking on all of the "result details" will open new windows with direct links to the patches that MBSA checked for, whether they're needed or not. So if he can take a screenshot of each results page, and send them to you, now you have a list of the patches and Service Packs he'll need.

Note that he needs to report the missing patches from all of the "result details" pages, not just one of them. The second pic is my Windows Security Updates page, and that's a post-SP3 WinXP installation, so the patches identified in that picture are a good starting point to download, but as I mentioned, he may need others depending on what-all he has installed. And as a follow-on to this whole procedure, the free Secunia online or installable checkup is really good too... Secunia says that less than 2% of their first-time users are fully patched. Their checkup will help fix vulnerable third-party stuff like outdated QuickTime, Flash Player, Java, browsers, media players, etc.

Oh, and if he has WinXP "Service Pack zero" or WinXP Service Pack 1, I suggest updating to Service Pack 2 before installing Service Pack 3. But hopefully he's not that far behind the curve Disable the real-time antivirus protection before you start the SP3 installation, to prevent possible interference from the antivirus.

Moderator note: OVERSIZED PIC deleted...


MBSA's scan completed.


One of the "result details" pages.

SP3 took about 40 minutes on my computer. Then I installed the IE explorer patches and they loaded very quickly after that. But my computer is set on automatic update, however it did NOT download the newest IE 7 patches. I had to do that separately. I didn't want to chance it since my bank account was pilfered of $5000 earlier this year.

SP2 is installed on the system but there aren't a lot of extras. It probably has IE6 as he uses Firefox (I will update him from 2 to 3 on that), I think the version of media player that came with XP although he does have an older version of Office, I think Office for XP.

Wasn't there a problem with SP3 and some AMD systems? He has a Asus A7V400mx motherboard with either a Via KM400A or VT8235 CE chipset (according to manual) with a Sempron CPU.

I also was thinking of installing Norton IS 2009 as I have an extra key and it is so much quicker and lighter on resources then previous versions. He currently has the free version of AVG and free version of Zone Alarm Firewall. I think he runs one of the free spyware detectors from time to time as well. One advantage of leaving him with the free AVG is it doesn't push the updates on you but rather just tells you when you are out of date. When you are only running 28.8k, you want your pipeline to be free as possible for your own use. Not sure how much NIS 2009 would use the pipeline.

Gosh with all those updates, I'm wondering if it's worth it. As mentioned, it's only 28.8k and he's only on the Internet for an hour or two a day at the most I think. If you put SP3 and subsequent updates and find there is a problem, will a pre-install windows restore take care of it? As I don't have a high speed connection available to me, I'll be in a pickle if I run into a problem that I'll have to further investigate online.

Long windows updates is why I finally popped for broadband internet.

If you can, it maybe better to take the whole PC to someplace where you can get a live highspeed internet connection (or wait several days for dialup--I used to do that--with phone forwarding to my cell phone).

And, backup before you do the SP3 upgrade--hosed one of my systems. Get a USB external drive (500+ GigaBytes for less than $100)--would be good anyway for backups.

-Bill

If you can get the service packs at least, and bring them with you on a disk or flash drive, that will make it go a LOT faster.

There is an option for downloading the SP files from MS website. Sorry I can't provide links but it should be easy to find. Maybe a search with a word group like "computer admisitrator service pack file" or something similar. I've seen this done this way before.

geepondy said:

SP2 is installed on the system but there aren't a lot of extras. It probably has IE6 as he uses Firefox (I will update him from 2 to 3 on that), I think the version of media player that came with XP although he does have an older version of Office, I think Office for XP.

Click to expand...

Even if he does only use FireFox himself, I still recommend installing IE7, since it's got security features that IE6 doesn't have. You can download the full IE7 installer from Microsoft too.

If he has OfficeXP and has not been patching it, then you'll need Service Pack 3 for OfficeXP and then some post-SP patches for OfficeXP, which the Microsoft Baseline Security Analyzer will identify for you.

Here is info on backing out of a Service Pack 3 install on WinXP if it goes haywire: http://support.microsoft.com/kb/950249 As I mentioned before, it would be smart to disable real-time antivirus protection before you commence. Since you're considering installing NIS 2009 anyway, you might as well completely uninstall the old antivirus, install Service Pack 3 and other patches you've brought along, and then install NIS 2009 when you're done.

I have some further security suggestions on this page, including fully enabling Data Execution Prevention; getting the Microsoft Update engine so his system auto-patches Office as well as Windows; and that Secunia checkup utility to fix the vulnerabilities in third-party stuff like media players, browser add-ons, and so forth. There is also the big one: using a non-Admin account for daily-driver stuff.

Hope that helps

Thank you MechBgon others. I did follow your advice for my own PC as you had posted it on a previous thread.

What I've done so far is download SP3 and the eight critical patches. I also downloaded IE7 and the three hotfixes but if he never uses IE, is there really a need to install it?

I also downloaded Firefox 3 and the free version of Superantispyware. While the MS baseline analyzer would be helpful, I just don't want to do anything that requires online download. You don't realize just how slow 28.8k dialup is. It takes two minutes to load a CPF page without any pictures. It's a five plus minute experience just to log on to Verizon and check my email. Even 56K is quite a bit zippier. I guess Satellite Internet is his only option but that's still pretty expensive along with upfront or rental equipment costs.

I'm thinking I'll also leave him with the free AVG and Zone Alarm. As I mentioned, I fear Norton Internet Security will push the updates on him and given the nature of his surfing, I think getting the latest updates once a week is probably sufficient.

So having said what I plan on doing, do you think that will improve the situation? Without doing all recommendations for maximum security am I leaving out any steps that is real foolish?

Thanks again for everybody's comments.

geepondy said:

Thank you MechBgon others. I did follow your advice for my own PC as you had posted it on a previous thread.

What I've done so far is download SP3 and the eight critical patches. I also downloaded IE7 and the three hotfixes but if he never uses IE, is there really a need to install it?

Click to expand...

If something invokes IE in an attempt to work mischief (cross-browser exploit or whatever), I'd sure rather have IE7 invoked than IE6, is why I suggested updating to IE7 if you can.

I'm thinking I'll also leave him with the free AVG and Zone Alarm. As I mentioned, I fear Norton Internet Security will push the updates on him and given the nature of his surfing, I think getting the latest updates once a week is probably sufficient.

Click to expand...

AVG's detection rates are unimpressive, and the bad guys crank out new malware non-stop every minute of the day. I'd try for at least daily updates, but you can also take steps to make the antivirus far less critical to the overall defense of the system. I'm sure I posted a link to my suggested plan already, otherwise it's in my signature. If you implement those steps, then a failure on the part of the antivirus software will generally be a non-event.

Without doing all recommendations for maximum security am I leaving out any steps that is real foolish?

Click to expand...

If he can run a non-Admin user account for day-to-day stuff, that's a huge step forward in security, with no reduction in performance, no cost, no updates required. Part of its value is that it'll "contain" many types of attacks even if they're successfully launched, which is especially valuable if his computer will be slow to get its updates, leaving it technically vulnerable in the meanwhile. If you try changing to a non-Admin account and it doesn't work out, you can always switch him back, it only takes a minute.

If the non-Admin account works OK for him, then Software Restriction Policy is another great tweak that works hand-in-hand with the non-Admin account. The main issue I foresee with SRP is if programs are installed to abnormal locations on the hard drive, instead of in C:\Program Files where they belong. That can be fixed by either reinstalling them into C:\Program Files, or by creating a Path Rule to accomodate their non-standard locations. Like a non-Admin account, SRP doesn't need updates, it doesn't cost anything extra, it has no noticable performance impact, and it protects your other layers of security from sabotage.

On a different tangent, make sure he's up to speed about phish. All the computer security in the world won't stop the user from being duped and giving away confidential information that leads to identity theft.

I've decided I will put Norton IS 2009 on his PC. If it pushes too many updates then can always go back to the free stuff. I'm also going to install the trial version of Acronis True Image home 2009 and back up his hard drive to either DVD(s) (he doesn't have too much) or my 8 gig flash drive before I start.

Anybody know of any bargain places to purchases Acronis True Image? On ebay I find killer deals on Norton IS 2009 but I don't see any on Acronis True Image. The cheapest I have seen it is $45 only five dollars off list.

good thread... been holding off installing sp3 due to all the negative feedback. IMHO MS wants trouble for XP installs to help folks down the path to Vista... which is the most bloated OS around!

FWIW, I've been running XP SP3 for a while - no issues.

Geepondy - I still remember when we got a (shared) 14.4 connection. It was FAST internet! Not sure what I'd do without broadband these days.

cy said:

good thread... been holding off installing sp3 due to all the negative feedback. IMHO MS wants trouble for XP installs to help folks down the path to Vista... which is the most bloated OS around!

Click to expand...

I help moderate a computer forum with almost 200,000 members, and haven't heard much negative feedback about SP3 for WinXP. Where did you hear that there were lots of problems with it? What sorts of problems in particular? Since Microsoft will be supporting WinXP until 2013, why would it be in their interest to deliberately cause problems that their own tech support would have to deal with daily for the next 5 years?

Think about it. :candle:

Heck, Apple's had problems with their recent update for OS X. Maybe they're trying to drive Vista adoption too... ...orrrrr maybe not.

Regarding Vista adoption in general, I watch Valve's ongoing hardware survey, and I see that the ratio of Vista-to-XP users is now about 1 : 2.3 and building. Granted, that's the gaming community, so their systems tend to be well-equipped (plenty of RAM, etc).

to begin with MS has repeatedly extended end of service life for XP. don't think your 2013 date existed until recently. there was plenty of folks not happy about getting their system hosed after installing sp3... this was way back when Vista was introduced and sp3 had just came out... all sorts of unhappy folks with vista... most business customers refused to upgrade to vista...and had enough clout to force MS to extend end of life for XP.

again.. this was back when sp3 first came out... have lost track of current developments with XP...

the issue with vista consuming massive amounts of ram... has resolved itself by the huge drop in ram prices... but when vista came out... there were plenty of unhappy folks.... now what remains is vista's forced end of life for applications like Office 2k.... for all practical purposes, office 98 and 2k has 99% of feature most would ever use. vista forces user to pay office tax again... again... LOTS of unhappy business users don't want vista.

then there's MS's nasty little forced scan of your vista system before being allowed to download certain app's.

mechBgon said:

I help moderate a computer forum with almost 200,000 members, and haven't heard much negative feedback about SP3 for WinXP. Where did you hear that there were lots of problems with it? What sorts of problems in particular? Since Microsoft will be supporting WinXP until 2013, why would it be in their interest to cause problems that their own tech support will have to deal with daily for the next 5 years?

Think about it. :candle:

Heck, Apple's had problems with their recent update for OS X. Maybe they're trying to drive Vista adoption too... ...orrrrr maybe not.

Regarding Vista adoption in general, I watch Valve's ongoing hardware survey, and I see that the ratio of Vista-to-XP users is now about 1 : 2.3 and building. Granted, that's the gaming community, so their systems tend to be well-equipped (plenty of RAM, etc).

Click to expand...

cy said:

again.. this was back when sp3 first came out... have lost track of current developments with XP...

Click to expand...

I think you're a little confused on the timeline. Vista's debut (November 2006) was not even close to SP3's release for WinXP (May 2008). So I think you're reading more into it than is really there.

Also, WinXP's slated end-of-life has been late 2013 since before Vista was released. The bigger story was that they decided to support WinXP Home Edition for just as long as WinXP Pro, which extended XP Home support by several years further than initially planned (XP Home was originally slated for EOL in 2009).

now what remains is vista's forced end of life for applications like Office 2k.... for all practical purposes, office 98 and 2k has 99% of feature most would ever use. vista forces user to pay office tax again... again...

Click to expand...

Last I checked, you can run Office 2000 just fine on Vista :thinking: Microsoft even has a knowledge-base article about it. Where did you hear otherwise? Office98 is end-of-life, so whether it would run or not, you'd be inviting security exposure if you did.

then there's MS's nasty little forced scan of your vista system before being allowed to download certain app's.

Click to expand...

If you're referring to the Windows Genuine Advantage check, that is also done with Windows XP, not just Vista.

geepondy said:

Anybody know of any bargain places to purchases Acronis True Image? On ebay I find killer deals on Norton IS 2009 but I don't see any on Acronis True Image. The cheapest I have seen it is $45 only five dollars off list.

Click to expand...

I see Newegg has it downloadable for $42.99, and you'd only get sales tax if you're in a state where Newegg has a warehouse: http://www.newegg.com/Product/Product.aspx?Item=1636711SF

I had an older version of True Image, and was pretty pleased with it. Good stuff.

no confusion here... vista was out long enough for the bad reviews to come out before SP3 came out.

what I was referring to was MS's repeated extending availability of XP.
as for reading more into to it... don't under estimate MS... those folks are not stupid in the least.

couldn't get office 2k to work on two vista installs... yes office 98 is end of life... but user should have choice to run it without paying MS office tax again and again.. as you well know... security is a moving target...

mechBgon said:

I think you're a little confused on the timeline. Vista's debut (November 2006) was not even close to SP3's release for WinXP (May 2008). So I think you're reading more into it than is really there.

Also, WinXP's slated end-of-life has been late 2013 since before Vista was released. The bigger story was that they decided to support WinXP Home Edition for just as long as WinXP Pro, which extended XP Home support by three years further than initially planned (XP Home was originally slated for EOL in 2009).



Last I checked, you can run Office 2000 just fine on Vista :thinking: Microsoft even has a knowledge-base article about it. Where did you hear otherwise? Office98 is end-of-life, so whether it would run or not, you'd be inviting security exposure if you did.

Click to expand...

cy said:

no confusion here... vista was out long enough for the bad reviews to come out before SP3 came out.

Click to expand...

If you really think that there would've been no Service Pack 3 for WinXP, under any circumstance whatsoever (rave reviews of Vista, etc), you're not being realistic. Service Packs are just part of the Windows scene. WinNT had six SPs. Win2000 had four. WinXP has had three, Vista has had one. There's no way Microsoft would run the remaining five years of WinXP support without releasing a Service Pack.

A Service Pack is not a political gesture, it's a big bundle of updates and compatibility fixes. SP3 for WinXP was already overdue, people were griping at the ~70 post-SP2 updates required on a WinXP SP2 system.

MechBgon - HUGE thanks for all the detailed links, posts, utilities that you have posted. It has been an invaluable resource. I did not know most of the information and links you posted just in this thread. In particular MS Security Analyzer & Secunia, & your sig website link.

We are lucky to have your expertise here. :thumbsup:

I have been relying on ZA, Bit Defender (don't like it, but started long ago and keep renewing), but mostly on Norton Ghost 9.0 for regular entire drive backups to external USB-2 HD, and optical DVD Taiyo Yuden media. I had problems with Acronis TI a few years ago, and with XP, Ghost has worked 100% for me. Also use router, Spybot, Ad-Aware, and Spyware Blaster.