Critical Update issued for XP etc. but not for Vista

Vistaar

Vista Guru
The vulnerability is CVE-2019-0708, which apparently affects every version of Windows from Windows XP to Windows 7. Microsoft has released security updates for every affected version of Windows, including Windows XP and Server 2003 - unless you believe that Windows Vista SP2 and Windows Server 2008 SP2 are different versions of Windows, in which case Microsoft did NOT issue an update for Vista. However, if you are familiar with the MSFN thread Server 2008 Updates on Windows Vista, then you know that Vista can be patched against this threat if anyone so desires. Edit: Today (May 23, 2019) Microsoft updated Customer guidance for CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability to include Windows Vista at the bottom of the list. The link for 4499180 takes you to the May 2019 Security Only Quality Update for Windows Server 2008!? :shock: Furthermore, the KB article was updated yesterday (May 22), and contains this Notice: "This security update can be installed on Windows Server 2008 Service Pack 2 and on Windows Vista. " :shock: Microsoft is not just admitting that updates for Server 2008 can be installed on Vista, but is actually advising those who are still running Vista to install this one!? :shock: Caution: This update would definitely change your build number from 6.0.6002 to 6003, and personally I wouldn't install it unless my system was already fully updated to April 2019 (I did NOT mean to write "2017"). Caution: If you are using a legacy version of Avast, then you should uninstall it before updating your system because of a reported incompatibility. Update: It should then be possible to reinstall Avast/AVG products because Avast issued a micro-update.

In other news, Microsoft has issued KB4474419 for SHA-2 code signing support for Windows 6.0. Third Edition: The KB article states, "There are no prerequisites for installing this update;" however 2019 SHA-2 Code Signing Support requirement for Windows and WSUS indicates that the April 2019 Servicing stack update for Windows Server 2008 SP2 (KB4493730) would also be needed for Windows updates. The experiment in post #2 therefore cannot be regarded as conclusive (I'm not even sure if Windows Update Agent 7.6.7600.256 was present).
 
Last edited:

My Computer

System One

  • Operating System
    Vista Home Premium x86 SP2
    Manufacturer/Model
    HP Pavilion Elite m9150f
    CPU
    Intel Q6600
    Memory
    3 GB
    Graphics card(s)
    NVIDIA GeForce 8500 GT
KB4474419 integrated into wim - along with the rest of my integrate list. Then ran the 4 speedups:

integrated-kb4474149-167total.JPG

It appears to prevent WU from getting any of the SHA-1 updates for Vista.
WU only offers these:

after-kb447.JPG


after-kb447-2.JPG


after-kb447-3.JPG
 
Last edited:

My Computers

System One System Two

  • Operating System
    Vista
    CPU
    Intel E8400
    Motherboard
    ASRock1333-GLAN R2.0
    Memory
    4gb DDR2 800
    Graphics card(s)
    nvidia 9500GT 1gb
  • Operating System
    win7/vista
    CPU
    intel i5-8400
    Motherboard
    gigabyte b365m ds3h
    Memory
    ballistix 2x8gb 3200
The update was installed on Vista SP2. It prevented Vista SP2 from getting updates, ( except for windows defender ) as shown in my previous post - including screenshots. It isn't build 6003.
 

My Computers

System One System Two

  • Operating System
    Vista
    CPU
    Intel E8400
    Motherboard
    ASRock1333-GLAN R2.0
    Memory
    4gb DDR2 800
    Graphics card(s)
    nvidia 9500GT 1gb
  • Operating System
    win7/vista
    CPU
    intel i5-8400
    Motherboard
    gigabyte b365m ds3h
    Memory
    ballistix 2x8gb 3200
I had formatted that partition. It was quite simple for me just now to install only that update into an image. It does indeed change the build to 6003.

The correct reponse to my earlier post that it prevents Vista from getting updates is:

Yes, and it also changes the build number.
 

My Computers

System One System Two

  • Operating System
    Vista
    CPU
    Intel E8400
    Motherboard
    ASRock1333-GLAN R2.0
    Memory
    4gb DDR2 800
    Graphics card(s)
    nvidia 9500GT 1gb
  • Operating System
    win7/vista
    CPU
    intel i5-8400
    Motherboard
    gigabyte b365m ds3h
    Memory
    ballistix 2x8gb 3200

My Computers

System One System Two

  • Operating System
    Vista
    CPU
    Intel E8400
    Motherboard
    ASRock1333-GLAN R2.0
    Memory
    4gb DDR2 800
    Graphics card(s)
    nvidia 9500GT 1gb
  • Operating System
    win7/vista
    CPU
    intel i5-8400
    Motherboard
    gigabyte b365m ds3h
    Memory
    ballistix 2x8gb 3200
I hadn't looked at Vista for a long while. Been tinkering with it over the last few days. I have made boot media for it as well. Couple of things still to sort out on the x64, the x86 is working fine.

Will link it for anyone that is using vista x86. You will probably want to add your own net drivers. I only added the driver I needed for testing.

vistapepic1.jpg

vistapepic2.jpg

vistapepic3.jpg
 

My Computers

System One System Two

  • Operating System
    Vista
    CPU
    Intel E8400
    Motherboard
    ASRock1333-GLAN R2.0
    Memory
    4gb DDR2 800
    Graphics card(s)
    nvidia 9500GT 1gb
  • Operating System
    win7/vista
    CPU
    intel i5-8400
    Motherboard
    gigabyte b365m ds3h
    Memory
    ballistix 2x8gb 3200
Last edited:

My Computers

System One System Two

  • Operating System
    Vista
    CPU
    Intel E8400
    Motherboard
    ASRock1333-GLAN R2.0
    Memory
    4gb DDR2 800
    Graphics card(s)
    nvidia 9500GT 1gb
  • Operating System
    win7/vista
    CPU
    intel i5-8400
    Motherboard
    gigabyte b365m ds3h
    Memory
    ballistix 2x8gb 3200
Getting back to my original topic:
The vulnerability is CVE-2019-0708, which apparently affects every version of Windows from Windows XP to Windows 7. Microsoft has released security updates for every affected version of Windows, including Windows XP and Server 2003 - unless you believe that Windows Vista SP2 and Windows Server 2008 SP2 are different versions of Windows, in which case Microsoft did NOT issue an update for Vista. However, if you are familiar with the MSFN thread Server 2008 Updates on Windows Vista, then you know that Vista can be patched against this threat if anyone so desires.
Today (May 23, 2019) Microsoft updated Customer guidance for CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability to add Windows Vista at the bottom of the list. The link for 4499180 takes you to the May 2019 Security Only Quality Update for Windows Server 2008!? :shock: Furthermore, the KB article was updated yesterday (May 22), and contains this Notice: "This security update can be installed on Windows Server 2008 Service Pack 2 and on Windows Vista." :shock: Microsoft is not just admitting that updates for Server 2008 can be installed on Vista, but is actually advising those who are still running Vista to install this one!? :shock: Caution: This update definitely change your build number from 6.0.6002 to 6003, and personally I wouldn't install it unless my system was already fully updated to April 2019 (I did NOT mean to write "2017"). Warning: If you are using a legacy version of Avast, then you should uninstall it before updating your system because of a reported incompatibility. (I have edited post #1.)
 
Last edited:

My Computer

System One

  • Operating System
    Vista Home Premium x86 SP2
    Manufacturer/Model
    HP Pavilion Elite m9150f
    CPU
    Intel Q6600
    Memory
    3 GB
    Graphics card(s)
    NVIDIA GeForce 8500 GT
Disabling the Terminal Services service might perhaps mitigate the vulnerability. Does anyone have any thoughts on that? It is not clear to me why Home versions of Vista would be vulnerable at all (see the Warning in this tutorial).

Depends upon the method of the hack.
 

My Computers

System One System Two

  • Operating System
    Windows 8.1 Industry Pro x64
    Manufacturer/Model
    HP Pavillion Elite HPE-250f
    CPU
    Intel i7 860 Quad core 2.8 ghz
    Memory
    8 gb
    Graphics card(s)
    ATI Radeon HD 5770 1 gb ram
    Monitor(s) Displays
    Alienware 25 AW2521HF
    Screen Resolution
    1920x1080 &1680x1050
    Hard Drives
    1 TB x2
    Other Info
    https://www.cnet.com/products/hp-pavilion-elite-hpe-250f/
  • Operating System
    Windows 2012 R2 Data center/Linux Mint
    Manufacturer/Model
    Dell Poweredge T140
    CPU
    i3 9100 3.6GHz, 8M cache, 4C/4T
    Memory
    8GB 2666MT/s DDR4 ECC UDIMM
    Screen Resolution
    1680x1050
    Hard Drives
    1 TB & 360 GB x2
    Other Info
    https://www.dell.com/en-us/work/shop/productdetailstxn/poweredge-t140?~ck=bt
CVE-2019-0708 says:
Mitigations

The following mitigation may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave Remote Desktop Services disabled:

1. Disable Remote Desktop Services if they are not required.

If you no longer need these services on your system, consider disabling them as a security best practice. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities.
In the case of Windows Vista, those would be the Terminal Services and Terminal Services Configuration services.
 
Last edited:

My Computer

System One

  • Operating System
    Vista Home Premium x86 SP2
    Manufacturer/Model
    HP Pavilion Elite m9150f
    CPU
    Intel Q6600
    Memory
    3 GB
    Graphics card(s)
    NVIDIA GeForce 8500 GT

My Computer

System One

  • Operating System
    Vista Home Premium x86 SP2
    Manufacturer/Model
    HP Pavilion Elite m9150f
    CPU
    Intel Q6600
    Memory
    3 GB
    Graphics card(s)
    NVIDIA GeForce 8500 GT
It enters a new stage of useless with Build number 6.0.6003. Windows Update not receiving updates for being fully patched, update servers closed or Windows Update no longer recognizing the operating system is three different things...
 

My Computer

The vulnerability is CVE-2019-0708...Microsoft updated Customer guidance for CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability to include Windows Vista....the KB article...contains this Notice: "This security update can be installed on Windows Server 2008 Service Pack 2 and on Windows Vista. "....Caution: This update would definitely change your build number from 6.0.6002 to 6003...
This was the first time in 2 years that Microsoft publicly urged those still running Windows Vista to install a security update (although almost every Windows Server 2008 SP2 update actually contains an extractable text file listing Windows Vista as an applicable OS). The update was not delivered to Windows Vista via Windows Update: Users interested in security would have to download and install it themselves from Microsoft Update Catalog.
 

My Computer

System One

  • Operating System
    Vista Home Premium x86 SP2
    Manufacturer/Model
    HP Pavilion Elite m9150f
    CPU
    Intel Q6600
    Memory
    3 GB
    Graphics card(s)
    NVIDIA GeForce 8500 GT
Back
Top