12/9/08 - "Microsoft Tuesday", SpywareBlaster, and today's other updates

Windows Malicious Software Removal Tool  (KB890830) for December, version 2.5

( be sure to get version 2.5... and not last month's 2.4 )

=====================================

This month's version adds detection of:

Win32/FakeXPA  (aka:  XP Antivirus)

and  Win32/Yektel

=====================================

32-bit version for Windows Vista; Windows XP ; Windows 2000; Windows Server 2003;

http://www.microsoft.com/downloads/details.aspx?FamilyID=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en

-----------------

x64-bit version for Windows Server 2003 x64 editions; Windows Vista Business 64-bit edition; Windows Vista Enterprise 64-bit edition; Windows Vista Home Basic 64-bit edition; Windows Vista Home Premium 64-bit edition; Windows Vista Ultimate 64-bit edition; Windows XP 64-bit

http://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Please use Windows/Microsoft UPDATES to determine which of the following are required for your particular system:

The following updates are rated CRITICAL:

MS08-070 Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349)

MS08-071 Vulnerabilities in GDI Could Allow Remote Code Execution (956802)

MS08-072 Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173)

MS08-073 Cumulative Security Update for Internet Explorer (958215)

MS08-074 Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070)

MS08-075 Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)

---------------------------------------

The following updates are rated IMPORTANT:

MS08-076 Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807)

MS08-077 Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175)

Hi Ky331. I have a few questions concerning the updates that were listed when I clicked "Check for Updates" on my system today.

1. How do I find what version of the Microsoft MSRT I installed? Can I assume it would be the most recent version, 2.5?

2. Two of the updates appear to be the same. They both deal with Windows Search. Checking the details page they both are MS08-075, yet they  have different Knowledge Base numbers, KB958623 and KB958624. Do I need to install both of these seemingly identical updates?

 I just checked the size of each of these updates and one is 6.9 Mb and the other is only 844 Kb, so they aren't the same. I probably should install both. Maybe the smaller one is an update to the larger one.

Thanks

Steve,

the indication to be sure to get the latest version (2.5) of the MSRT was included because at the time of my posting earlier today, Microsoft was just "phasing-in" that version... and for a short while, it was possible that either one (new or old) might be downloading.   [i downloaded the "old" one two or three times, before finally getting the new one.]   but now, hours later, i think we can safely say you're getting the newest version.

as for which updates you (or anyone) need(s), I have to assume that whatever windows updates finds  for you  is appropriate for your system.   the reason why I stressed this is that I didn't want someone to erroneously assume they necessarily needed everything on the above list.

while i don't have any specific details (other than what you can read for yourself in the MS08-75 article), it would appear that KB 958623 contains an "important" fix that  replaces  the older MS08-38, while KB 958624 contains a "critical" fix (that's "brand new" --- not replacing something else).   Aside from this distinction, they do appear to be very similar updates.  

Thanks for your help and hope you have a Merry Chirstmas.

Hi,

I didn't get offered ANY MSRT for December.  Should I try it again tomorrow?  Or should I go and get it manually and if so, how do I do that?  And where do I find these MS08-070 numbers?  All my updates have KB numbers.  I looked at my history.  Oh I see your last number is the KB number.  Update only installed 2 of your list.  Does that sound ok?  I only got 956802 and 958215.  I'm still only on SP2.

Christine

SpywareBlaster database update

12/9/08

total of 11171 items; 30 new

Christine:

I also noticed the the Dec. MSRT was not offered at the MS Update site/Custom option (I don't use automatic updates) and had to download the new version from ky331's link. Whether this represents a change in policy, or a one-time deal due to the new version, I don't know.

I don't use the Express option, because it is automatic, and doesn't give you the choice the Custom does, to review and decide whether you need the updates offered. (I can recall a few times when dicey updates, such as the WGA Notification program, were automatically installed- and could not be uninstalled).

Christine,

the numberings --- be it the MS's or the KB's --- are overly complicated and confusing.   for example, if you were to click on the link i gave above and read through the MS08-070 article [which is followed/referenced by the main KB # 932349], you will see that it in turn refers to many other KB numbers [including 926857 and 958392], which are  customized  for various specific products (Visual Basic, DotNet, FoxPro, FrontPage), versions (2002, 2003, 2007), operating systems (XP, Vista), and service packs (sp1, sp2, sp3).   Unless you have that particular combination of product/version/OS/pack, you will not need the corresponding update.

Like I said at the start, overly complicated and confusing.   The only reason why I listed things this way, is because that's the way Microsoft chooses to "advertise"/publicize their updates.  

however, the simplest/best way for you to proceed is simply to go to Windows Updates (in IE, under Tools), and allow it to scan for and determine precisely which updates your system needs.   If it only finds two, I would install those, and figure that's all you actually need.

by the way, if you have your system configured to automatically check for (and either notify you, or download/install) updates [which is what Microsoft recommends people do], you should automatically be advised about the availability of any updates [without having to actually "go to" the Windows Updates site].

also keep in mind that when you go to the windows updates site, they offer an EXPRESS as well as a CUSTOM choice.   the EXPRESS gives you only the critical (or perhaps very important) updates; whereas CUSTOM gives you the choice of everything available, including "optional" (non-critical) updates.

as for the MSRT, I believe that it SHOULD have been included among the updates made available [especially if you chose CUSTOM.   EDIT:   I see that Joe just replied here, indicating this is NOT the case.]  If you can't get it that way, and want to download it, you can click on the link I gave above (i'm assuming you probably have a 32-bit system) and download it directly from there.

Ok I manually downloaded the MSRT 2.5 from your link.  Thanks.  But now Another Question!  When I dl it and ran it, it did a scan (I picked the quick scan).  I never have seen the monthly MSRT do a scan before.  I just have been doing the Custom Updates monthly and when it's done it says to restart computer.  Maybe it's doing the scan in the background, but I've never noticed? On the restart?  So were my past MSRTs done correctly?  How would I run it again to do the full scan?  Redownload it?

Sorry for so many questions,

Christine

Christine,

I can't locate the thread right now, but it seems this is something i just recently discussed with someone (thought it might have been you).

EDIT:   We did in fact discuss this two weeks ago, here:  http://en.community.dell.com/forums/p/19244257/19379325.aspx#19379325

the following has been excerpted from http://support.microsoft.com/?kbid=890830

"The Malicious Software Removal Tool runs in quiet mode (unless/until it finds an infection).  If it detects malicious software on your computer, the next time that you log on to your computer as a computer administrator, a balloon will appear in the notification area to make you aware of the detection...  you may be prompted to perform a full scan.  We recommend that you perform this scan. A full scan performs a quick scan and then a full scan of the computer, regardless of whether malicious software is found during the quick scan....

If you have not been notified of an infection, no malicious software has been found that needs your attention."

as for re-running it for a full scan:   when you went to the link i gave, did you RUN the program or SAVE the program (to be run)?   If you simply RUN the program, it will be saved as a temporary file, and presumably removed when you clean the "temp cache".  [in that case, you can always go to the link and download it again.]   If you SAVE the file, naming it, you should be able to locate it (wherever you downloaded it to) and run it again.  

i believe you can also go to the START menu, choose RUN, and type in MRT (then hit the ENTER key) to run the Malicious Removal Tool.   While this may work, I don't know if you can tell which version it's loading [whereas, when downloaded from the link i gave, it should clearly indicate the version]

MS Malicious Software Removal Tool damages harmless software

11 December 2008

In yesterday's [Tuesday's] update of the Malicous Software Removal Tool (MSRT), Microsoft supplied an erroneous signature that led it to remove the uninstall components of some software products. For example, a reader has reported that, following a reboot, the MSRT found the trojan Win32/Renos.N in the "Vegas Movie Studio Platinum 8.0" video processing software. Microsoft's own Flight Simulator is also reported to have been robbed of its uninstall routines by faulty error detection.

According to Microsoft – .....the incorrect signature was supplied to all anti-virus products, including OneCare, on 19 November. The defective signature is only contained in the December version 2.5.2419.0 of the MSRT and, shortly thereafter, Microsoft issued version 2.5.2423.0, which is said to contain the corrected signatures. Microsoft normally issues corrected versions via automatic updates, so no direct action is needed. The company has not yet suggested how the deleted files can be restored.


From Article HERE