Update on a couple issues we are seeing related to detection and installation of MS10-090 (KB2416400)

Article
12/16/2010

I just wanted to let you know about a couple issues we are seeing on our support team related to detection and install issues for MS10-090 (KB2416400). Please note that these are preliminary troubleshooting steps that we have found in our investigation of these issues and you may find other factors in your configuration that also contribute to the issue that do not align with those that are documented here.

Note: Issue 2 below was updated on 12/21/2010 for clarity.

=================================
Issue 1:

WSUS managed clients experience a re-offer loop for this update.

Scenario:

· You approve MS10-090 (KB2416400) for installation to clients.

· Clients download/install MS10-090 (KB2416400) successfully and a reboot is needed.

· The reboot is completed.

· After the reboot, KB2416400 is reoffered for installation.

Cause:

As noted in the MS10-090 security bulletin and article KB2416400, KB2467659 should be deployed along with KB2416400.

Resolution:
If you have installed KB2416400 without installing KB2467659, clients may be re-offered KB2416400 one or more times even when it installs successfully. The resolution for this issue is to install KB2467659.

=================================

Issue 2:

WSUS managed clients experience a re-offer loop for this update and updates it supersedes.

Scenario:

• You approve MS10-090 (KB2416400) for installation to clients and have already approved KB2467659 as well (issue 1 above).

• Clients download/install MS10-090 (KB2416400) and a reboot is needed.

• The reboot is completed.

• The client prompts to install an older update that MS10-090 (KB2416400) supersedes.

• You install this older update and a reboot is needed.

• The reboot is completed.

• The client prompts to install KB2416400 again.

• If you repeat the installation, the two updates continue to be offered in an endless loop.

Cause:

At least one of the updates in the supersedence chain for MS10-090 (KB2416400) has an approval state that is NOT set to “Declined”.

Resolution:

We recommend that all updates that are superseded by KB2416400 (MS10-090) be set to “DECLINED” for their approval state within WSUS. Here are some fairly quick steps provided by Vishal Gupta (thanks, Vishal!):

Decline all updates that are superseded by KB2416400.

• Open the WSUS console.

• Expand the WSUS server’s name on the upper-left.

• Right-click on Updates and choose Search.

• In the Text field, enter the following text:

Cumulative Security Update for Internet Explorer

• Click Find Now and wait for the search results to build.

• When the results are shown, select the first item in the list so that it becomes highlighted, scroll to the bottom of the search results, hold down the SHIFT key on your keyboard, select the last update in the list, and release the SHIFT key. Now all updates in the search result should be highlighted.

• Right-click in the highlighted list of updates and choose “Decline”; when prompted if you are sure you want to decline the updates, choose “Yes”.

NOTE: This declines KB2416400, but the later steps will allow you to approve this one again.

• When this task completes, change the search Text to:

KB976749

• Click Find Now and wait for the search results to build.

• Select all of the items returned, right-click, and choose Decline.

• When this task completes, change the search Text to:

KB960714

• Click Find Now and wait for the search results to build.

• Select all of the items returned, right-click, and choose Decline.

Set the approval to “Install” for each of the versions of KB2416400 you wish to deploy in your environment.

• Using the same Search dialog, change the search Text to:

KB2416400

• Click Find Now and wait for the search results to build.

• For each version of KB2416400 you need to deploy in your environment, right-click the update and choose Approve.

Confirm that KB2467659 has an approval set to “Install”.

• Using the same Search dialog, change the search Text to:

KB2467659

• Click Find Now and wait for the search results to build

• For each version of KB2467659 you need to deploy in your environment, right-click the update and choose Approve.

This takes care of all of the approval changes on the WSUS server so you can do the following on some of the clients to confirm the issue is resolved:

• Restart the Automatic Updates service/Windows Update service on an affected client.

• From a CMD prompt, run WUAUCLT /DETECTNOW.

================================
Issue 3:

SMS/ITMU installations of KB2416400 fail.

Scenario:
You deploy KB2416400 via SMS 2003/ITMU. The clients attempt to install KB2416400 but fail with exit code 1642.

Resolution:
Create a software deployment for both KB2416400 and KB2467659.

You can download the standalone versions of these from the Microsoft Download Center

Hope this helps,

Mike Johnson | System Center Senior Support Escalation Engineer

Comments

Anonymous
January 01, 2003
I ran into an issue when declining KB960714. When you search for KB960714 only the IE7 updates show up so I did not decline the patch for previous versions of IE causing our clients to get in a loop installing KB960714 and KB2416400. Make sure you search for 960714 when declining this update.
Anonymous
December 16, 2010
I am also seeing some weirdness in my testing of the December patches. I am seeing certain XP and 2003 systems re-prompting to download the following older patches, although they are already installed on the system and Set to Install in WSUS - 958215, 961260, 963207.Any ideas on what is going on?
Anonymous
December 16, 2010
Another piece of weirdness: our MHT files we use for internal SOP documents, which contain embedded JPG files, are not rendering the images in i.e. If you edit them in Word, for example they show up. The MHT display correctly in other browsers.
Anonymous
December 16, 2010
Adding to the sentiment experienced above: Older updates were offered to Win2k3 servers (IE 7 related updates - 976325, 974455, 2360131). All of these updates were already installed. Affected servers kept rebooting i.e. installed old update, reboot, WSUS offers/installs it again - reboot. Went into WSUS and declined affected updates. Seems to have fixed the issue.
Anonymous
December 16, 2010
Thanks for the information, Issue 2 sorted out my problem, though I had to go back through and approve 23 updates in the sequence which took a while.
Anonymous
December 16, 2010
We're having an issue with a few clients where despite their browser version being IE8, the 2416400 updates for IE6 and IE7 are coming up as required in their compliance reports.. the update for IE8 is installed correctly
Anonymous
December 16, 2010
My issue is the same as Issue 1 but the fix doesn't work, the client already has KB2467659 approved and installed.Still everytime I restart it prompts to install KB2416400.
Anonymous
December 16, 2010
If you have problem with KB2416400, check social.answers.microsoft.com/.../bbd51ac5-ba84-488f-ac17-c87de886b372
Anonymous
December 17, 2010
We are seeing isues in our SCCM Compliance reports with Server 2003 systems with IE 8 installed:"Cumulative Security Update for Internet Explorer 8 for Windows Server 2003 (KB2416400)" shows up as approved, required, and installed, which is ok, but the same systems are reporting "Cumulative Security Update for Internet Explorer 7 for Windows Server 2003 (KB2416400)" is approved, required, but NOT installed. It should not be required because they have IE 8 installed.On a similar note, I've seen one case where a Server 2003 system is not compliant because it is missing "Client Update for Microsoft Forefront Client Security (1.0.1732.0) (Windows 2000 SP4) " - Why is an update for Windows 2000 showing as required for a system running Server 2003?
Anonymous
December 17, 2010
I ended up declining all old, superceded updates and working fine now.CURRENT - 2416400 (MS10-090)DECLINED - 2360131, 2183461, 982381, 978207, 976325, 974455, 972260, 969897, 963027, 961260, 960714, 958215, 956390, 953838, 950759, 947864
Anonymous
December 17, 2010
We are also seeing the same issue. I followed the troubleshooting steps listed in the "Issue 2" section, however found that all updates were already set to install. So I ended up declining each old superseded IE update that reappeared after installation of KB2416400.
Anonymous
December 19, 2010
Tried installing patch with MS Update and manually both fail. Tried all of the suggestions still fail. During the MS Update only a partial piece of the update downloads. So I renamed SoftwareDistribution folder and tried again both ways still fail. I give up ! Come exploit my computer.. thanks MS.
Anonymous
December 20, 2010
Here is another way to resolve this :Open up the WSUS console and search for the text “Cumulative Security Update for Internet Explorer”. Decline all the updates that show up in that list.Now, apart from these cumulative updates, there are two IE security updates (976749 and 960714) which are also superseded by two of the cumulative updates 976325 and 961260 respectively. Decline these security updates as well. Last thing to do, search for the update 2416400 and approve the ones which are being deployed. Now, restart the automatic updates/windows update service on the clients and then check for updates again. You should not get prompted for the update any more now. Note: The above steps are supposed to be followed after making sure that the update 2467659 is installed on the computers.
Anonymous
December 20, 2010
Grmbl....I have several Windows Server 2003 and XP machines out there which upgraded from IE6 to IE7 and recently IE8. The IE cumulative patch for IE8 has been installed OK...but the ones for IE6 and IE7 are still reported as missing. Manual installation doesn;t bring anything because they report a different version of IE has been installed then where the patch is for....Looks to me that the detection method is not fully proof.....
Anonymous
December 21, 2010
Looks like it was fixed in the catalog somewhere in the last 24 hours.....haven't seen any notice about it though....!!
Anonymous
December 21, 2010
How do you know it was fixed in the catalog?
Anonymous
December 21, 2010
I don't know if it is "fixed," but the patch catalog certainly changed sometime yesterday. I'm using SCCM, and yesterday 51% of my workstations were compliant. Today only 5% are. The only thing that changed was that my SCCM server refreshed its patch catalog at 7 pm last night. Now a large number of my workstations are requesting patches today that they were not requesting when we deployed patches this past weekend.
Anonymous
December 21, 2010
That makes sense. I am using WSUS and I have synced a few times and I have not recieved any new updates (except definition updates). I will keep an eye on my Sync logs. I currently do not have the patch approved for install as it was causing issues on our DCs with the multiple reboots.
Anonymous
December 21, 2010
Which one is better:Declining the Old revision and approving the latest revison of the Updates we might have missed during these years (Although it take time to find the update chain)OrDeclining all the Updates
Anonymous
December 22, 2010
We have the same issue as "Jeff H 16 Dec 2010 12:59 PM " reported earlier. All htm and mht files created with office tools are not showing any drawings when opened in Explorer 8. Does anyone knows a solution for this?
Anonymous
January 04, 2011
Same issue as Jeff H 16 Dec 2010 12:59 and LodeV 22 Dec 2010 7:39 AM. Images in MHT file are being replaced by text "Bitmap" After uninstalling this update images display perfectly fine. Has anyone figured out a solution for this yet?Thanks.
Anonymous
January 04, 2011
Just FYI,(working in Windows 7 with Office 2010 installed)It seems that the issue with 2416400 is that it does something to the browser so it doesn’t like the way MS Word creates .mht files. MHT files created with Internet Explorer 8 or the Windows Problem Steps Recorder both work fine and display images even with 2416400 installed.I did a test where I created a simple html file with an image and opened it up in IE8. I then saved it out of IE8 as a mht file. The file opens fine and displays the image in IE8. I then opened the file in Word 2010 and simply saved as a different name. That file does not display the image.I also opened the file up on an XP machine with Word 2003 and saved it. That file also won’t display the image in IE8 when 2416400 is installed. After uninstalling 2416400 on this machine and rebooting all of the mht files then displayed the image correctly.
Anonymous
January 04, 2011
For what it’s worth and out of curiosity I built a quick VB6 browser (basically I just dropped the Microsoft Internet Controls tool on a form – ieframe.dll) to see if the problematic .mht files would work and they do, perfectly! Good old old technology! ;-)
Anonymous
January 06, 2011
HiWorkaround 2 fixed the issueThanks a lot
Anonymous
January 10, 2011
Sounds like I'm having a similar issue as a few others who have commented here, and I've been searching for 2 days to find an answer! All of the graphics in published MS Producer presentations have disappeared. If you don't know about MS Producer, and published files contain video synchronized to PPT slides. Once published, a hundred different files are generated, and the graphics are jpg, gif, and png, so I don't think it matters what format the graphics are. They've simply disappeared! Uninstall the KB2416400 IE patch, and the all work fine. Uninstalling isn't an option, this patch was pushed out to thousands of users. HELP! I've posted on a dozen different forums and have been googling for days!
Anonymous
January 10, 2011
In my environment, after approving the MS10-090 patch, only the MS10-071 is offered/installed again.Can I just decline only MS10-071 and approve MS10-090?
Anonymous
January 10, 2011
In my environment, after approving the MS10-090 patch, only the MS10-071 is offered/installed again.Can I just decline only MS10-071 and approve MS10-090?
Anonymous
January 20, 2011
More FYI... (Using Vista - Office 2007 - IE7)I used PowerPoint to create MHT files which I ultimately saved as complete Web pages (.htm). The picture portions of these pages no longer appear when viewed in IE, but the hyperlinks and text remain. Like others, uninstalling 2416400 is the only way I've found to restore the pictures. I too am looking for a resolution that doesn't require uninstalling the security fix. Thanks!
Anonymous
January 28, 2011
MHT Viewing Problem Resolved!My problem turned out to be a conflict with a McAfee application, and the link below leads to the explanation and fix:social.technet.microsoft.com/.../f5946770-0105-4608-b5e9-4535f55d9b7e

Partager via

Comments

Ressources supplémentaires