We've had the users try downloading the updates directly and accessing
the Windows Update site. The latter shows no updates available and the
former fails as the update is already installed.
The Vista checks for this update are file based checks as opposed to
the registry check for XP updates. I'm not sure why this changed this
behavior as we seem to have more issues with the Vista checks for for
"file created dates".
The original issue is still ongoing. It appears to me that the Cisco
ruleset for Vista machines is broken on this check. Not all machines
will have the gdiplus.dll in the directory. I'm also very dubious
about checking a file version at all in the winsxs directory. I
believe this directory allows for multiple versions of the same
library to be available - why is this check forcing users to have a
particular version when it appears to have already been replaced by a
later version?
On Sep 12, 2008, at 2:16 PM, SHIH, WENDY wrote:
Did you have them go to MS update site directly? I am not sure why
MS makes it so confusing. But we found the PC might be failing
KB954593 but the real update requires is KB38464. We usually turn
off the critical update requirements for a few days around 2nd
Tuesday just to let the PCs gets the updates and work themselves way
out before we enforce it.
http://www.microsoft.com/downloads/details.aspx?familyid=16f3ad21-ed77-4c32-93df-3b650b2b32a5&displaylang=en
The CAM registry check for KB954593 is actually looking for KB
938464. Same for Vista.
=======
pc_KB954593_MS08-052_XP
HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB938464\Filelist\
From: Cisco Clean Access Users and Administrators [mailto:[email protected]
] On Behalf Of Walt Howd
Sent: Friday, September 12, 2008 1:06 PM
To: [email protected]
Subject: KB954593 / MS08-052 Check Incorrectly Failing on Windows
Vista Systems
We have approximately 500 windows vista student systems that are
failing the pc_KB954593_MS08-052_Vista check.
All of the systems we have examined have all available windows
updates installed.
Some of the systems have the reported file (gdiplus.dll) in the
directory listed in the check with the minimum file version listed
in the check (5.2.6000.16000). Other systems do not have the
gdiplus.dll in the exact directory, but in a different directory
with a higher version number.
On all systems attempting to manually download ( http://www.microsoft.com/technet/security/Bulletin/MS08-052.mspx
) and install the update reports the message that update is not
applicable to the system as it has already been installed.
Here is the text from the Clean Access Report:
pc_KB954593_MS08-052_Vista, File Check [C:\Windows\winsxs
\x86_microsoft
.windows
.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537
\GdiPlus.dll later than 5.2.6000.16000]
Has anyone else seen this issue? This update just came out on
Tuesday, the 9th.
Walt Howd
Network Systems Admin
Information Technology Services
Truman State University
SunGard Higher Education
Managed Services
100 East Normal Street
Kirksville, MO 63501
[EMAIL PROTECTED]
Office - (660) 785-7394
