• Article

Security Bulletin

Microsoft Security Bulletin MS05-031 - Important

Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (898458)

Published: June 14, 2005 | Updated: June 15, 2005

Version: 1.1

Summary

Who should read this document: Customers who use Microsoft Windows or may have installed the Step-by-Step Interactive Training

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Important

Recommendation: Customers should apply the update at the earliest opportunity.

Security Update Replacement: None

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:

  • Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
  • Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
  • Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based
  • Microsoft Windows Server 2003 x64 Edition
  • Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) - Review the FAQ section of this bulletin for details about these operating systems.

Tested Microsoft Windows Components:

Affected Components:

Note The Step-by-Step Interactive Training software is included with many Microsoft Press titles. Use the information in the "Frequently asked questions (FAQ) related to this security update" section to help determine whether you require this security update.

The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.

General Information

Executive Summary

Executive Summary:

This update resolves a newly-discovered, privately-reported vulnerability. The Step-by-Step Interactive Training has a remote code execution vulnerability that could allow an attacker to take complete control of an affected system. The vulnerability is documented in the “Vulnerability Details” section of this bulletin.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. However, user interaction is required to exploit this vulnerability.

We recommend that customers apply the update at the earliest opportunity.

Severity Ratings and Vulnerability Identifiers:

Vulnerability Identifiers Impact of Vulnerability Step-by-Step Interactive Training
Interactive Training Vulnerability - CAN-2005-1212 Remote Code Execution Important

This assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Does this update contain any other changes to functionality?
Yes. Besides the changes that are listed in the “Vulnerability Details” section of this bulletin, this update includes the following change in functionality: Bookmark links created by the Step-by-Step Interactive Training software before the installation of this security update may no longer function correctly. These bookmark links may have to be re-created to function correctly.

Will this security update be offered through Windows Update and Automatic Update?
Yes. The Step-by-Step Interactive Training software is preinstalled by many computer manufacturers. The Step-by-Step Interactive Training software is also offered as part of hundreds of Microsoft Press titles. Because of the wide distribution of this software, we have decided to offer this security update on Windows Update to systems that have this software installed. This software is covered as part of the operating system license on systems where the software is preinstalled. If this software is not installed, this security update will not be offered and is not required on those systems. This software will be offered on Windows 2000, Windows XP, and Windows Server 2003 operating systems where required. Because this vulnerability is not critical, this update will not be offered to Windows 98, to Windows 98 Second Edition, or to Windows Millennium Edition.

Note: A non-localized version of the security update may be offered through Windows Update when a localized version of the affected software is installed on a version of the operating system that contains a different localization. For example, customers using a Norwegian version of the operating system that are using the French version of the affected application will be offered the English version of the security update through Windows Update. Customers that require the French version of the affected application should download the French version of the security update using the download links provided in this security bulletin. If the security update is already installed, it will not be offered by Windows Update. No matter which language combination of the affected software you have installed, a security update will be offered to help protect against this vulnerability.

How does the extended support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition affect the release of security updates for these operating systems?
Microsoft will only release security updates for critical security issues. Non-critical security issues are not offered during this support period. For more information about the Microsoft Support Lifecycle policies for these operating systems, visit the following Web site.

For more information about severity ratings, visit the following Web site.

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by one or more of the vulnerabilities that are addressed in this security bulletin?
No. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition. For more information about severity ratings, visit the following Web site.

Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine whether this update is required?
MBSA does not support Step-by-Step Interactive Training, and does not detect whether the update is required for Step-by-Step Interactive Training. However, Microsoft has developed a version of the Enterprise Update Scan Tool (EST). This tool helps customers determine whether this security update is required. For detailed information about the programs that MBSA currently does not detect, see Microsoft Knowledge Base Article 306460. For more information about MBSA, visit the MBSA Web site.

What is the Enterprise Update Scan Tool (EST)?
As part of an ongoing commitment to providing detection tools for bulletin-class security updates, Microsoft delivers a stand-alone detection tool whenever the Microsoft Baseline Security Analyzer (MBSA) and the Office Detection Tool (ODT) cannot detect whether the update is required for an MSRC release cycle. This stand-alone tool is called the Enterprise Update Scan Tool (EST) and is designed for enterprise administrators. When a version of the Enterprise Update Scan Tool is created for a specific bulletin, customers can run the tool from a command-line interface and view the results of the XML output file. To help customers better use the tool, detailed documentation will be provided with the tool. There is also a version of the tool that offers an integrated experience for SMS administrators.

Can I use a version of the Enterprise Update Scan Tool to determine whether this update is required?
Yes. Microsoft has created a version of the Enterprise Update Scan Tool that will determine whether you have to apply this update. For more information about the version of the Enterprise Update Scan Tool that is being released this month, see the following Microsoft Web site. There is also a version of this tool that Systems Management Server (SMS) customers can obtain. To obtain this version of the tool, visit the following Microsoft Web site. This tool may also be available for SMS customers from the SMS Web site.

Can I use Systems Management Server (SMS) to determine whether this update is required?
Yes. SMS can help detect and deploy this security update. SMS uses MBSA for detection; therefore, SMS has the same limitation listed earlier in this bulletin related to programs that MBSA does not detect. However, there is a version of the Enterprise Update Scan Tool that SMS customers can obtain that offers an integrated experience for SMS administrators. To obtain this version of the tool, visit the following Microsoft Web site. For more information about SMS, visit the SMS Web site.

How do I know if I have Step-by-Step Interactive Training installed on my system?
You can refer to the list of title provided in Microsoft Knowledge Base Article 898458. You can also use the Add or Remove Programs tool in Control Panel to determine whether “Microsoft Press Interactive Training” and “Interactive Training” are included in the list of installed software. However, this is not a complete method of verification, because “Microsoft Interactive Training” does not create an Add or Remove Programs entry. “Microsoft Interactive Training” is based on the Orun32.exe file. Therefore, you must also manually determine whether the Orun32.exe file is present on your system. Customers can also manually search for all the affected files. If any one of these files is present, the system is likely to be vulnerable to this issue. The affected files are any versions of the following files earlier than the file versions that were released as part of this security update:

File Name Version Date Time Size
Lrun32.exe 3.6.0.111 04-May-2005 22:45 1,077,312
Mrun32.exe 3.4.1.101 04-May-2005 23:17 1,028,160
Orun32.exe 3.5.0.117 04-May-2005 22:33 1,077,312

Can I use SMS to determine if programs are installed that have to be updated?
Yes. SMS can help detect if there are other programs installed that may have installed a version of the vulnerable component. SMS can search for the existence of the files that are documented in the previous FAQ. Update all versions of the affected files that are earlier than the versions that are listed in the previous FAQ. You can deploy this update by using the Inventory and Software Distribution feature of SMS.

Vulnerability Details

Interactive Training Vulnerability - CAN-2005-1212:

A remote code execution vulnerability exists in Step-by-Step Interactive Training because of the way that Step-by-Step Interactive Training handles bookmark link files. An attacker could exploit the vulnerability by constructing a malicious bookmark link file that could potentially allow remote code execution if a user visited a malicious Web site or opened a malicious attachment that was provided in an e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.

Mitigating Factors for Interactive Training Vulnerability - CAN-2005-1212:

  • In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also try to compromise a Web site to have it deliver a Web page that contains malicious content to try to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site or to a Web site that has been compromised by the attacker.

  • An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  • By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed. The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability.

    The risk of attack from the HTML e-mail vector can be significantly reduced if you meet all the following conditions:

    • Apply the update that is included with Microsoft Security Bulletin MS03-040 or a later Cumulative Security Update for Internet Explorer.
    • Use Internet Explorer 6 or a later version.
    • Use the Microsoft Outlook E-mail Security Update, use Microsoft Outlook Express 6 or a later version, or use Microsoft Outlook 2000 Service Pack 2 or a later version in its default configuration.

  • The vulnerability could not be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message or must click a link that is provided in an e-mail message.

  • The following e-mail management best practices can help mitigate this vulnerability:

    • Discourage users from opening file attachments that have file name extensions that are not familiar. The relevant file name extensions (.cbo, .cbl, .cbm) are not ordinarily used in e-mail and should be treated with caution.
    • Discourage users from opening file attachments from untrusted sources.

Workarounds for Interactive Training Vulnerability - CAN-2005-1212:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

  • Disable the handler for Step-by-Step Interactive Training bookmark link files by removing the related registry keys.
    Delete these keys to help reduce attacks. This workaround helps reduce attacks by preventing Step-by-Step Interactive Training from automatically opening the affected file types. The content can still be opened from within the Step-by-Step Interactive Training user interface.

    Important This bulletin contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see Microsoft Knowledge Base Article 256986. Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

    1. Click Start, click Run, type regedt32, and then click OK.

    2. In Registry Editor, locate the following registry subkeys:
      HKEY_CLASSES_ROOT.cbl (for “Microsoft Press Interactive Training”)
      KEY_CLASSES_ROOT.cbm (for “Interactive Training”)
      HKEY_CLASSES_ROOT.cbo (for “Microsoft Interactive Training ”)

    3. For each subkey that is found, click the subkey, and then press DELETE.

    4. In the Confirm Key Delete dialog box, click OK.
      These actions can also be performed at a command prompt by using the following commands in the order that is specified here:

      reg.exe export HKCR.cbl c:\cbl.reg
      reg.exe delete HKCR.cbl /f
      reg.exe export HKCR.cbm c:\cbm.reg
      reg.exe delete HKCR.cbm /f
      reg.exe export HKCR.cbo c:\cbo.reg
      reg.exe delete HKCR.cbo /f`

    Impact of Workaround: Step-by-Step Interactive Training bookmark files can no longer be opened. The content can still be opened from within the Step-by-Step Interactive Training user interface.

  • Do not open or save Step-by-Step Interactive Training bookmark link files (.cbo, .cbl, .cbm) that you receive from untrusted sources.
    This vulnerability could be exploited when a user opens a .cbo, .cbl, or .cbm file. Do not open files that use these file name extensions. This workaround does not cover other vectors of attack such as Web browsing.

  • Help prevent e-mail attacks by blocking Step-by-Step Interactive Training bookmark link files (.cbo, .cbl, .cbm).
    This vulnerability could be exploited when a user views a user views a .cbo, .cbl, or .cbm file. To help block these files by using Outlook and Outlook Express, see Microsoft Knowledge Base Article 837388 and Microsoft Knowledge Base Article 291387. Enterprise customers should consider adding Step-by-Step Interactive Training files (.cbo, .cbl, .cbm) to the list of unsafe files that are blocked by enterprise gateway e-mail filters.

    Note When you block these files through e-mail, you are not preventing attacks that use other vectors.

  • Remove Step-by-Step Interactive Training. Removing Step-by-Step Interactive Training will help prevent attacks.

    To remove Step-by-Step Interactive Training, follow these steps:

    • Click Start, click Run, and type %windir%\IsUninst.exe -x -y -a -f"%windir%\orun32.isu"

      Note You may have to replace "orun32.isu" with "mrun32.isu" or "lrun32.isu," depending on the version of Step-by-Step Interactive Training that is installed. If you have several of these versions installed, you must remove them all.

      Impact of Workaround: After you remove the Step-by-Step Interactive Training application, any applications that depend on Step-by-Step Interactive Training will fail.

  • Remove Step-by-Step Interactive Training by using the Add or Remove Programs tool in Control Panel.

    To manually remove Step-by-Step Interactive Training from a system, follow these steps.

    1. Click Start, point to Settings, and then click Control Panel.

    2. Double-click Add or Remove Programs.

    3. In the Add or Remove Programs dialog box, click the name of the affected program and then click Remove

      Note Affected versions are "Microsoft Press Interactive Training" and "Interactive Training." However, removing these programs may not be a complete workaround, because "Microsoft Interactive Training" does not create an Add or Remove Programs entry. "Microsoft Interactive Training" is based on the Orun32.exe file. Therefore, you must also manually verify that the Orun32.exe file is not present on your system.

    4. Follow the instructions to complete the removal.

    Impact of Workaround: After you remove the Step-by-Step Interactive Training application, any applications that depend on Step-by-Step Interactive Training will fail.

  • Delete or rename the Step-by-Step Interactive Training .ini program file.

    If Step-by-Step Interactive Training cannot be removed by using the methods that are documented in this section of the security bulletin, you may be able to help prevent attacks by deleting or renaming the physical file.

    Delete or rename the %windir%\Orun32.ini file.

    Note You may have to replace "Orun32.ini" with "Mrun32.ini" or "Lrun32.ini depending on the version of Step-by-Step Interactive Training that is installed.

    Impact of Workaround: After you disable the Step-by-Step Interactive Training application, any applications that depend on Step-by-Step Interactive Training may fail.

FAQ for Interactive Training Vulnerability - CAN-2005-1212:

What is the scope of the vulnerability?
This is a remote code execution vulnerability. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. However, user interaction is required to exploit this vulnerability.

What causes the vulnerability?
An unchecked buffer in the process that is used by Step-by-Step Interactive Training to validate bookmark link files.

What is a bookmark link file?
Bookmark link files are created by using the Step-by-Step Interactive Training user interface. These files allow a user the ability to quickly and easily link to a particular topic. Bookmark link files are text files that contain the information that is required by Step-by-Step Interactive Training to view a topic.

What is Step-by-Step Interactive Training?
Step-by-Step Interactive Training is used as the engine for hundreds of interactive training titles that are provided by Microsoft Press and other vendors. The list of know titles that contain this software is provided in Microsoft Knowledge Base Article 898458. For more information about other available Microsoft Press titles that may contain this software see the Microsoft Press Web site. This Web site will only document titles that may contain this software. Because of the nature of the distribution of this software by Microsoft, by our manufacturing partners, and by our publishing partners, there is no definitive list of all the titles that may have provided this software or of manufacturers that may have preinstalled this software. We recommend installing the available security update if you believe that this software may be installed on your system. You can also use the information provided in the "How do I know if I have Step-by-Step Interactive Training installed on my system?" frequently asked question to scan your enterprise for the affected files.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.

Who could exploit the vulnerability?
An attacker that could construct a malicious file and then persuade a user to visit a malicious Web site that opened this file or an attacker that could persuade a user to open a malicious attachment provided in an e-mail message could try to exploit this vulnerability.

How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to execute code.

There are several additional ways that an attacker could try to exploit this vulnerability. However, user interaction is required to exploit this vulnerability in each of these ways. Some examples follow:

  • An attacker could exploit the vulnerability by constructing a malicious Step-by-Step Interactive Training bookmark file (a .cbo, cbl, or .cbm file) and then persuading the user to open the file.
  • An attacked could send a malicious file as an attachment to a user through e-mail and then convince a user to open the attachment.
  • An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site.
  • In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also try to compromise a Web site to have it deliver a Web page that contains malicious content to try to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site or to a Web site that has been compromised by the attacker.

What systems are primarily at risk from the vulnerability?
Any operating system where Step-by-Step Interactive Training is installed is at risk from this vulnerability. Because this software is typically installed only on client systems, servers would typically not be at risk from the vulnerability.

What does the update do?
The update removes the vulnerability by modifying the way that Step-by-Step Interactive Training validates the contents of a bookmark file before Step-by-Step Interactive Training copies the content into the allocated buffer.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Security Update Information

Affected Software:

For information about the specific security update for your affected software, click the appropriate link:

Step-by-Step Interactive Training (All Versions)

Prerequisites
You must have a version of Step-by-Step Interactive Training installed before you install this security update.

Installation Information

This security update supports the following setup switches.

Switch Description
/help Displays the command-line options
Setup Modes
/passive Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.
/quiet Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.
Restart Options
/norestart Does not restart when installation has completed
/forcerestart Restarts the computer after installation and force other applications to close at shutdown without saving open files first.
/warnrestart[:x] Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.
/promptrestart Display a dialog box prompting the local user to allow a restart
Special Options
/overwriteoem Overwrites OEM files without prompting
/nobackup Does not backup files needed for uninstall
/forceappsclose Forces other programs to close when the computer shuts down
/log:path Allows the redirection of installation log files
/integrate:path Integrates the update into the Windows source files. These files are located at the path that is specified in the switch.
/extract[:path] Extracts files without starting the Setup program
/ER Enables extended error reporting
/verbose Enables verbose logging. During installation, creates %Windir%\CabBuild.log. This log details the files that are copied. Using this switch may cause the installation to proceed more slowly.

Note You can combine these switches into one command. For backward compatibility, the security update also supports many of the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.

Deployment Information

To install the security update without any user intervention, use the following command at a command prompt:

StepByStepInteractiveTraining-KB898458-x86-ENU.exe /quiet

Note Use of the /quiet switch will suppress all messages. This includes suppressing failure messages. Administrators should use one of the supported methods to verify the installation was successful when they use the /quiet switch. Administrators should also review the KB898458.log file for any failure messages when they use this switch.

To install the security update without forcing the system to restart, use the following command at a command prompt for:

StepByStepInteractiveTraining-KB898458-x86-ENU.exe /norestart

Note Filenames for non0x86 systems are unique to the affected platforms.

For information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site.

Restart Requirement

This update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. For more information about the reasons why you may be prompted to restart your computer, see Microsoft Knowledge Base Article 887012.

Removal Information

To remove this update, use the Add or Remove Programs tool in Control Panel.

System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB898458$\Spuninst folder.

Switch Description
/help Displays the command-line options
Setup Modes
/passive Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.
/quiet Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.
Restart Options
/norestart Does not restart when installation has completed
/forcerestart Restarts the computer after installation and force other applications to close at shutdown without saving open files first.
/warnrestart[:x] Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.
/promptrestart Display a dialog box prompting the local user to allow a restart
Special Options
/forceappsclose Forces other programs to close when the computer shuts down
/log:path Allows the redirection of installation log files

File Information

The English version of this security update has the file attributes that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Step-by-Step Interactive Training

File Name Version Date Time Size
Lrun32.exe 3.6.0.111 04-May-2005 22:45 1,077,312
Mrun32.exe 3.4.1.101 04-May-2005 23:17 1,028,160
Orun32.exe 3.5.0.117 04-May-2005 22:33 1,077,312

For more information about the Update.exe installer, visit the Microsoft TechNet Web site.

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

Verifying that the Update Has Been Applied

  • File Version Verification

    Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

    1. Click Start, and then click Search.
    2. In the Search Results pane, click All files and folders under Search Companion.
    3. In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.
    4. In the list of files, right-click a file name from the appropriate file information table, and then click Properties.

    Note Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.

    1. On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.

    Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.

  • Registry Key Verification

    You may also be able to verify the files that this security update has installed by testing for the presence of the following registry key.

    Step-by-Step Interactive Training:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Step by Step Interactive Training\SP2\KB898458\Filelist

    Note Versions of Step-by-Step Interactive Training could be installed after the security update has been installed. This action could reintroduce this vulnerability onto a system. Detecting the presence of this registry key will only validate that the update was installed. The existence of this registry key will not determine whether the system is currently secure or vulnerable. We recommend that you use File Version Verification to determine whether a system is vulnerable to this issue. If this situation does occur, Windows Update will offer this update again to an affected system.

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

Obtaining Other Security Updates:

Updates for other security issues are available at the following locations:

Support:

  • Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
  • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Security Resources:

Software Update Services:

By using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional.

For more information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site.

Systems Management Server:

Microsoft Systems Management Server (SMS) delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and can perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.

Note SMS uses the Microsoft Baseline Security Analyze, Microsoft Office Detection Tool, and the Enterprise Update Scanning Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, visit the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (June 14, 2005): Bulletin published
  • V1.1 (June 15, 2005): Bulletin “Acknowledgments” section revised with additional details.

Built at 2014-04-18T13:49:36Z-07:00