Re: Original CD required for critical MS vulnerability

[Michelle Mueller <muellerm () MTMARY EDU>]

You can download administrative updates for MS Office from here:
http://www.microsoft.com/office/ork/xp/journ/oxpupdte.htm.   I use them
to stream into an .msi file that I push out through Group Policy.  It's
still much more of a hassle than it is to get regular critical updates
out, since it takes 15 - 45 minutes on each computer to redeploy the
software program, but at least we don't need to go around to each
computer.  I just tried installing one of the admin updates on my test
machine and it worked just fine and did not ask for the CD.  When I
installed an update from the update site, it didn't ask for the disk
either.  I'm pretty sure this is because right from the beginning we
install the program from Group Policy rather than from a CD.

Michelle Mueller
Mount Mary College
Milwaukee, WI



millar () isc upenn edu wrote:

> The Visual Basic flaw that Microsoft announced on Wed. (details below)
> has
> a severity rating of "Critical" (which MS defines as a vulnerability
> "whose
> exploitation could allow the propagation of an Internet worm without user
> action")
>
> We're trying to push hard on quickly applying patches that MS rates as
> Critical, but this one is tougher to apply: you need the original
> Office CD
> and you have to go to Office Update; Windows Update doesn't catch it.
> I'm
> not sure about Baseline Security Analyzer, because it started giving me
> problems yesterday.
>
> Has anyone ever had any luck convincing MS to:
> a.) Move Office critical security patches into the Windows Update
> umbrella?  That's where all our communication has pointed end users to.
> b.) Support Office patches without original CDs?  I've got to think that
> out of our 35,000 people here, there are going to be a lot who can't find
> their original CDs.   I'd hate to be in the middle of  a worm outbreak
> asking everyone on campus to please go find their original Office CDs.
>
> Thanks,
> Dave Millar
> University Information Security Officer
> University of Pennsylvania
>
>
> Microsoft Security Bulletin MS03-037  Print
> Flaw in Visual Basic for Applications Could Allow Arbitrary Code
> Execution (822715)
> http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-037.asp
>
> Affected platforms: All Windows operating systems running Access 97,
> 2000, 2002; Excel 97, 2000, 2002; PowerPoint 97, 2000, 2002; Project
> 2000, 2002; Publisher 2002; Visio 2000, 2002; Word 97, 98, 2000,
> 2002, Works Suite 2001, 2002, 2003; MS Business Solutions
>
> **********
> Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.