Security Advisory

Microsoft Security Advisory 954960

Microsoft Windows Server Update Services (WSUS) Blocked from Deploying Security Updates

Published: June 30, 2008 | Updated: August 12, 2008

Microsoft has completed the investigation into public reports of a non-security issue that prevents the distribution of any updates deployed through Microsoft Windows Server Update Services 3.0 or Microsoft Windows Server Update Services 3.0 Service Pack 1 to client systems that have Microsoft Office 2003 installed in their environment. Microsoft confirmed those reports and has released an update to correct this issue under Microsoft Knowledge Base Article 954960. Microsoft encourages customers affected by this issue to review and install this update.

Notes The issue affecting System Center Configuration Manager 2007 first described in Microsoft Security Advisory 954474, where System Center Configuration Manager 2007 systems were blocked from deploying security updates, is separate from the issue described in this advisory. However, there are similarities in the contributing factors in both issues.

Customers who wish to verify that the update has been installed properly can check that their version of Microsoft.UpdateServices.WebServices.Client.Dll, located at %ProgramFiles%\Update Services\WebServices\ClientWebService\bin\, is 3.1.6001.66.

The update detailed in Microsoft Knowledge Base Article 954960 cannot be uninstalled through Add or Remove Programs. Customers who wish to remove this update must uninstall Windows Server Update Services as detailed in Microsoft Knowledge Base Article 954960.

General Information

Overview

Purpose of Advisory: The purpose of this advisory is to inform customers of an update to correct a non-security related issue they may experience when attempting to deploy updates through Microsoft Windows Server Update Services 3.0 or Microsoft Windows Server Update Services 3.0 Service Pack 1 to client systems that have Microsoft Office 2003 installed in their environment.

This issue is not a security vulnerability in Microsoft Windows Server Update Services. However, environments that deploy updates through Microsoft Windows Server Update Services will be unable to deploy any updates to client systems.

Advisory Status: Microsoft Knowledge Base Article and associated update have been released to address this issue.

Recommendation: Review the suggested actions and configure as appropriate.

References Identification
Microsoft Knowledge Base Article 954960

This advisory discusses the following software.

Related Software
Microsoft Windows Server Update Services 3.0
Microsoft Windows Server Update Services 3.0 Service Pack 1

Frequently Asked Questions

What is the scope of the advisory?
This advisory and the related Microsoft Knowledge Base Article provide additional information on this issue as first described in the WSUS Product Team Blog.

Why did Microsoft update this advisory on August 12, 2008?
Microsoft updated this advisory to communicate that the updated packages released via the Microsoft Download Center on August 1, 2008 are now also available via Microsoft Update. Customers who have already successfully installed the update do not need to reinstall.

Why did Microsoft update this advisory on August 1, 2008?
Microsoft updated this advisory and the associated update detailed in Microsoft Knowledge Base Article 954960 due to an issue with the initial release of the update, where it did not properly elevate the necessary privileges required to install the update on Windows Server 2008 systems. Microsoft has corrected this elevation issue and has updated the packages as detailed in Microsoft Knowledge Base Article 954960.

Does the update offered in Microsoft Knowledge Base Article 954960 apply to all supported versions of Microsoft Windows Server Update Services?
The update offered in Microsoft Knowledge Base Article 954960 corrects the issue in Microsoft Windows Server Update Services 3.0 Service Pack 1. If you are using the RTM version of WSUS 3.0, refer to the workaround in the "Workaround" section in Microsoft Knowledge Base Article 954960 to resolve this issue. Customers who use the RTM version of WSUS 3.0 and who do not choose to implement the workaround can upgrade to WSUS 3.0 Service Pack 1. See Microsoft Knowledge Base Article 954960 for more information.

How can I verify if my deployments are impacted by the issue described in this advisory?
Administrators of Microsoft Windows Server Update Services 3.0 installations can identify this issue by reviewing log file entries on either the client or server:

  • Client Log Entry (%windir%\WindowsUpdate.log)

    2008-06-13 19:59:53:383 788 ee4 PT +++++++++++ PT: Synchronizing server updates +++++++++++

    2008-06-13 19:59:53:383 788 ee4 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = https://<wsus server="Server">/ClientWebService/client.asmx

    2008-06-13 19:59:56:617 788 ee4 PT WARNING: SyncUpdates failure, error = 0x8024400E, soap client error = 7, soap error code = 400, HTTP status code = 200

    2008-06-13 19:59:56:617 788 ee4 PT WARNING: SOAP Fault: 0x000190

    2008-06-13 19:59:56:617 788 ee4 PT WARNING: faultstring:Fault occurred

    2008-06-13 19:59:56:617 788 ee4 PT WARNING: ErrorCode:InternalServerError(5)

    2008-06-13 19:59:56:617 788 ee4 PT WARNING: Message:(null)

    2008-06-13 19:59:56:617 788 ee4 PT WARNING: Method:"https://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/SyncUpdates"

    2008-06-13 19:59:56:617 788 ee4 PT WARNING: ID:c0a7445f-b989-43fa-ac20-11f8ca65fa8c

  • Server Log Entry (%ProgramFiles%\Update Services\Log Files\SoftwareDistribution.log)

    2008-06-14 02:59:57.642 UTC Error w3wp.12 ClientImplementation.SyncUpdates System.ArgumentException: Item has already been added. Key in dictionary: '8862' Key being added: '8862'

    at System.Collections.Hashtable.Insert(Object key, Object nvalue, Boolean add)

    at System.Collections.Hashtable.Add(Object key, Object value)

    at Microsoft.UpdateServices.Internal.ClientImplementation.GetSyncInfo(DataAccess dataAccess, Hashtable stateTable, Hashtable deploymentTable, Boolean haveGroupsChanged, Boolean doChunking)

    at Microsoft.UpdateServices.Internal.ClientImplementation.SoftwareSync(DataAccess dataAccess, UnencryptedCookieData cookieData, Int32[] installedNonLeafUpdateIds, Int32[] leafUpdateIds, Boolean haveGroupsChanged, Boolean expressQuery)

    at Microsoft.UpdateServices.Internal.ClientImplementation.SyncUpdates(Cookie cookie, SyncUpdateParameters parameters)

    at Microsoft.UpdateServices.Internal.ClientImplementation.SyncUpdates(Cookie cookie, SyncUpdateParameters parameters)

    at Microsoft.UpdateServices.Internal.Client.SyncUpdates(Cookie cookie, SyncUpdateParameters parameters)

    <lines removed="removed">

    2008-06-14 02:59:57.642 UTC Warning w3wp.12 SoapUtilities.CreateException ThrowException: actor = https://wsusebc/ClientWebService/client.asmx, ID=c0a7445f-b989-43fa-ac20-11f8ca65fa8c, ErrorCode=InternalServerError, Message=, Client=?

Is this a security vulnerability that requires Microsoft to issue a security update?
No. The inability to install updates from Microsoft Windows Server Update Services 3.0 or Microsoft Windows Server Update Services 3.0 Service Pack 1 to environments that have Microsoft Office 2003 installed is not a security vulnerability.

What Microsoft products are associated with this advisory?
This issue is limited to customers who deploy updates through Microsoft Windows Server Update Services 3.0 or Microsoft Windows Server Update Services 3.0 Service Pack 1, and have Microsoft Office 2003 installed in their environments.

Note This advisory also applies to Microsoft software that ship with or are built on top of Microsoft Windows Server Update Services 3.0 or Microsoft Windows Server Update Services 3.0 Service Pack 1. Microsoft Small Business Server 2003 by default includes Windows Server Update Services 2.0 and is only affected if it has been upgraded to Microsoft Windows Server Update Services 3.0 or Microsoft Windows Server Update Services 3.0 Service Pack 1. System Center Essentials and System Center Configuration Manager 2007 are the only Microsoft software that consume the Microsoft Windows Server Update Services catalog and thus are also affected when used to deploy updates.

This is a security advisory about a non-security update. Isn’t that a contradiction?
Security advisories address security changes that may not require a security bulletin but may still affect a customer’s overall security. Security advisories are a way for Microsoft to communicate security-related information to customers about issues that may not be classified as vulnerabilities and may not require a security bulletin, or about issues for which no security bulletin has been released. In this case, Microsoft is communicating an issue that affects your ability to perform updates, including security updates. Therefore, this advisory does not address a specific security vulnerability; rather, it addresses your overall security.

Suggested Actions

Review the Microsoft Knowledge Base Article that is associated with this advisory.

Microsoft encourages customers to install this update. Customers who are interested in learning more about this update should review Microsoft Knowledge Base Article 954960.

Other Information

Resources:

Disclaimer:

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • June 30, 2008: Advisory published.
  • July 9, 2008: Advisory updated to reflect availability of fix.
  • July 10, 2008: Advisory updated to reflect specific installation and uninstallation procedures for the update for Windows Server Update Services running on Windows Server 2008.
  • July 16, 2008: Updated the example workaround steps for running the update to Windows Server Update Services 3.0 Service Pack 1 on Windows Server 2008 as an administrator.
  • August 1, 2008: Added Frequently Asked Questions entry to communicate re-release of the update to fix known installation issue with Windows Server 2008 systems.
  • August 12, 2008: Added entry to the section, Frequently Asked Questions (FAQ) Related to This Security Update, to communicate that the re-release of the update to fix a known installation issue with Windows Server 2008 systems is now available via Microsoft Update.

Built at 2014-04-18T13:49:36Z-07:00