Microsoft released MS07-017 earlier today to address the “Windows Animated Cursor Handling” vulnerability described in Microsoft Security Advisory 935423. Fixlet content for the new security bulletin has been published and is available in the “Enterprise Security” site:
ID 701701 “MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution - Windows XP/2003 (x64)”
ID 701702 “MS07-017: CORRUPT PATCH - Windows XP/2003 (x64)”
ID 701703 “MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution - Windows 2000 SP4”
ID 701704 “MS07-017: CORRUPT PATCH - Windows 2000 SP4”
ID 701705 “MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution - Windows XP SP2”
ID 701706 “MS07-017: CORRUPT PATCH - Windows XP SP2”
ID 701707 “MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution - Windows Server 2003”
ID 701708 “MS07-017: CORRUPT PATCH - Windows Server 2003”
ID 701709 “MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution - Windows Vista”
ID 701711 “MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution - Windows Vista (x64)”
Is there a fixlet available to calculate the relevance, if this is needed or not and to deploy it?
Currently, it seems that the patch is only replacing HHCTRL.OCX from a version dated somewhere in January this year to 02-Apr-2007 (all version information seems to be the same).
This error is very annoying and we currently do not know, if we can install the fix on each systems or only on those with this Realtek HD Audio driver installed.
Stena Line also faces this problem. The thing is that the new file has the same file version and but a newer date. If we trigger on this file all computers will be tartegeted sisnce they all have the file. Therefore computer with the realtek audio driver must triggered.
Here a relevance code that might work. It is very rough and will probably be alot more elegant when bigfix rewrites it. If your in a hurry (as we are) this might work.
Relevance
((name of operating system = “WinXP”) AND (exists key “HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB925902” of registry) AND(exists file “Rthdcpl.exe” of windows folder ) AND first 12 of following text of first “,” of (modification time of file “Hhctrl.ocx” of system folder as string) !=" 02 Apr 2007").
Action (run the software wizard to get your sha1 correct)
Hotfix 935448 resolves this issue but was only available through contacting Microsoft support services yesterday. It looks like Microsoft has now made the hotfix publicly available, so we will be providing Fixlet messages to facilitate deployment of the hotfix. We are testing the update and will likely release the Fixlet messages later today. More details to follow.
Fixlet messages have been published to the “Enterprise Security” site that will detect affected computers and deploy Hotfix 935448. Note that the Fixlet messages will only become relevant if the computer has, MS07-017, MS07-008, and “Realtek HD Audio Control Panel” installed:
ID 93544801: “935448: Realtek HD Audio Control Panel may not start, and may receive “Illegal System DLL Relocation” error message - Windows XP SP2”
ID 93544802: “935448: CORRUPT PATCH - Windows XP SP2”
For more information, see the following Microsoft support pages:
