Why isn't KB925902 a re-release of MS07-008?

[Guest]

More precisely, why isn't the security patch referred to by KB925902 treated
as a re-release of the XP SP2 security patch referred to by MS07-008? Sure,
it fixes no new vulnerabilities; if you've already installed MS07-008 and are
having no problems with it (such as installing the XP SP2 patch referred to
by MS07-017), then there is no security concern to address by installing the
new patch (the patch currently available from KB925902).

We've seen that before; we've seen patches re-released even though there is
no security benefit to the new patch.

What is different this time?

 

[Wesley Vogel]

"The update number listed on the security bulletins corresponds to the
Microsoft Knowledge Base (KB) article ID number."
from...
http://www.microsoft.com/security/bulletins/update_number.mspx

"Microsoft Knowledge Base articles that are associated with security updates
that have been released since October 15, 2003, provide a link to the
corresponding security bulletin without duplicating some of the same
information in the security bulletin. All information that was previously
available only in the Knowledge Base article (such as file information) is
now provided in the security bulletin."
from...
http://support.microsoft.com/kb/824689

MS07-017 and KB925902 are the same thing. MS07-008 and KB928843 are the
same thing. KB925902 and KB928843 are NOT the same thing.

Microsoft Security Bulletin MS07-017
Vulnerabilities in GDI Could Allow Remote Code Execution (925902)
http://www.microsoft.com/technet/security/bulletin/ms07-017.mspx

MS07-017: Vulnerability in GDI could allow remote code execution
http://support.microsoft.com/kb/925902

Microsoft Security Bulletin MS07-008
Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution
(928843)
http://www.microsoft.com/technet/security/bulletin/MS07-008.mspx

MS07-008: A vulnerability in the HTML Help ActiveX control could allow
remote code execution
http://support.microsoft.com/kb/928843

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

Sorry about that. I'll try to scratch that question and start over again.

Its the patch referred to in 935448 (replaces Hhctrl.ocx) that looks like a
re-release of MS07-008 (replaces Hhctrl.ocx), but isn't treated as a
re-release of MS07-008.

I wish I had been as rigorous in my question as you were with your response.

I'll start over again.

 

[Wesley Vogel]

Its the patch referred to in 935448 (replaces Hhctrl.ocx) that looks like

a re-release of MS07-008 (replaces Hhctrl.ocx), but isn't treated as a
re-release of MS07-008.

Because it is not a re-release of MS07-008.

<quote>
CAUSE
This problem may occur after you install security update 925902 (MS07-017)
and security update 928843 (MS07-008). The Hhctrl.ocx file that is included
in security update 928843 and the User32.dll file that is included in
security update 925902 have conflicting base addresses. This problem occurs
if the program loads the Hhctrl.ocx file before it loads the User32.dll
file.
<quote>
from...
Certain third-party applications may not start, and you receive an error
message when you start the computer: "Illegal System DLL Relocation"
http://support.microsoft.com/kb/935448

KB935448 is a Hotfix not a Security Update.

Update for Windows XP (KB935448)
http://www.microsoft.com/downloads/...88-3131-429C-8FCB-F7B3B0FD3D86&displaylang=en

A Hotfix is a patch to fix a bug in some file. In this case KB935448 is a
Hotfix to fix a bug in Hhctrl.ocx that was also somehow compounded by the
User32.dll file that is included in security update 925902. Also a problem
if you have Realtek HD Audio Control Panel, ElsterFormular 2006/2007, TUGZip
or CD-Tag installed.

Hotfix
Definition: A hotfix is a single, cumulative package that includes one or
more files that are used to address a problem in a product and are
cumulative at the binary and file level. A hotfix addresses a specific
customer situation and may not be distributed outside the customer's
organization.

Security Update
Definition: A security update is a broadly released fix for a
product-specific, security-related vulnerability. Security vulnerabilities
are rated based on their severity. The severity rating is indicated in the
Microsoft security bulletin as critical, important, moderate, or low.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In