Educause Security Discussion mailing list archives
Re: Original CD required for critical MS vulnerability
From: Michelle Mueller <muellerm () MTMARY EDU>
Date: Fri, 5 Sep 2003 09:33:15 -0500
You can download administrative updates for MS Office from here: http://www.microsoft.com/office/ork/xp/journ/oxpupdte.htm. I use them to stream into an .msi file that I push out through Group Policy. It's still much more of a hassle than it is to get regular critical updates out, since it takes 15 - 45 minutes on each computer to redeploy the software program, but at least we don't need to go around to each computer. I just tried installing one of the admin updates on my test machine and it worked just fine and did not ask for the CD. When I installed an update from the update site, it didn't ask for the disk either. I'm pretty sure this is because right from the beginning we install the program from Group Policy rather than from a CD. Michelle Mueller Mount Mary College Milwaukee, WI millar () isc upenn edu wrote:
The Visual Basic flaw that Microsoft announced on Wed. (details below) has a severity rating of "Critical" (which MS defines as a vulnerability "whose exploitation could allow the propagation of an Internet worm without user action") We're trying to push hard on quickly applying patches that MS rates as Critical, but this one is tougher to apply: you need the original Office CD and you have to go to Office Update; Windows Update doesn't catch it. I'm not sure about Baseline Security Analyzer, because it started giving me problems yesterday. Has anyone ever had any luck convincing MS to: a.) Move Office critical security patches into the Windows Update umbrella? That's where all our communication has pointed end users to. b.) Support Office patches without original CDs? I've got to think that out of our 35,000 people here, there are going to be a lot who can't find their original CDs. I'd hate to be in the middle of a worm outbreak asking everyone on campus to please go find their original Office CDs. Thanks, Dave Millar University Information Security Officer University of Pennsylvania Microsoft Security Bulletin MS03-037 Print Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution (822715) http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-037.asp Affected platforms: All Windows operating systems running Access 97, 2000, 2002; Excel 97, 2000, 2002; PowerPoint 97, 2000, 2002; Project 2000, 2002; Publisher 2002; Visio 2000, 2002; Word 97, 98, 2000, 2002, Works Suite 2001, 2002, 2003; MS Business Solutions ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Original CD required for critical MS vulnerability millar () isc upenn edu (Sep 05)
- <Possible follow-ups>
- Re: Original CD required for critical MS vulnerability Maurice Mitchell (Sep 05)
- Re: Original CD required for critical MS vulnerability Michelle Mueller (Sep 05)
- Re: Original CD required for critical MS vulnerability millar () isc upenn edu (Sep 05)
- Re: Original CD required for critical MS vulnerability Steven R. Smith (Sep 05)
- Re: Original CD required for critical MS vulnerability Gary Flynn (Sep 05)
- Re: Original CD required for critical MS vulnerability Bradford B. Saul (Sep 05)