XP Service Pack 3 blocks .NET security patches

Susan bradley By Susan Bradley

Installing SP3 on Windows XP eliminates the operating system’s ability to install important security patches for Microsoft’s .NET technology and possibly other software.

This problem forces XP SP3 users to apply patches manually to complete vital updates.

The new error is the latest in a long series of glitches relating to XP’s SP3, which Scott Dunn described in his Sept. 11 Top Story. The issues include spontaneous rebooting of systems based on AMD chipsets, as documented by Jesper Johansson in a blog post from last May.

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



To determine whether your XP SP3 system has a version — or multiple versions — of the .NET Framework installed, open Control Panel’s Add or Remove Programs applet and look for it among the list of currently installed programs. If you don’t see any .NET entries, you don’t have the framework installed on your system and needn’t be concerned about the update problem.

If you do see a listing for Microsoft .NET Framework, you need to use a third-party update service such as Secunia’s Software Inspector (described below) to patch the program.

A Sept. 16 post on the Windows Server Update Services (WSUS) blog disclosed that .NET 3.0 would not be offered to XP SP3 users. On Sept. 23, Microsoft Knowledge Base article 894199, which tracks changes in the company’s patches, indicated that .NET 3.0 and .NET 3.0 Service Pack 1 should be offered to XP SP3 workstations as optional patches.

However, when I tested this on various Windows XP SP3 configurations, I wasn’t offered .NET 3.0 as an optional patch. Things got really dicey on my first attempt to install .NET on a Windows XP SP3 machine. During that test, updates for .NET 1.1 and .NET 2.0 failed midstream. I had to use the Windows Installer CleanUp Utility (which is described in KB article 290301) and Aaron Stebner’s .NET Framework cleanup tool (download page) to uninstall the partially installed .NET frameworks.

Ultimately, I had to install .NET 3.5 SP1 in order to get any .NET framework loaded onto the test XP workstation. While the latest version of .NET 3.5 is a cumulative patch and thus could be installed in place of prior versions of .NET, what invariably occurs is that line-of-business applications require and install earlier versions of .NET.

For example, one of the programs I use regularly is QuickBooks, which includes .NET 1.1 in some versions and 2.0 in the 2008 and 2009 releases. I recommend against removing various versions of .NET if the frameworks were installed by your applications.

On my second and third tests of Windows XP SP3 machines, Windows Update did not detect .NET 3.0 as an optional update, but the frameworks were installed without error just the same. However, to manually update the XP systems, I first had to install Microsoft’s Windows Genuine Advantage tool, which is described in KB article 892130.

Next, I had to upgrade the installer program, as described in KB article 898461. After installing these two programs and returning to the Windows Update service, the XP SP3 machine was offered .NET 1.1 and .NET 2.0 as optional updates but not .NET 3.0 as a patchable item.

Windows update skips .net 3.0 for xp sp3
Figure 1. Windows Update fails to offer Windows XP SP3 the most recent .NET 3.0 framework.

When I attempted to update a system running Windows XP SP2, I was offered .NET 3.0 as an optional update, as shown in Figure 2 below.

On a pc running xp sp2, windows update does offer .net 3.0
Figure 2. On a PC running XP SP2, Windows Update does offer .NET 3.0.

I recommend that you install any version of the .NET framework only when your applications need it. However, Microsoft security bulletins dated as recently as Nov. 25 indicate that XP SP3 machines should be offered .NET 3.0. Clearly, XP SP2 PCs are prompted to install .NET 1.1, 2.0, and 3.0, while XP SP3 users are offered only .NET 1.1 and 2.0.

A full three months after Microsoft’s WSUS support blog disclosed that PCs using XP SP3 aren’t offered .NET 3.0 as an optional patch, the problem still has not been fixed. If you rely on Windows Update or Microsoft Update for your patching needs, use Secunia’s online Software Inspector service to ensure that you’re getting all the updates you need.

Even better than the online detection tool is Secunia’s Personal Software Inspector (download page), which you download and install onto your PC to constantly monitor the update status of the software on your system. The free program will alert you to older versions of Java, Flash, and other common applications, including Microsoft’s .NET Framework. You’ll be walked through the process of removing older — and possibly vulnerable — versions.

Based on the numbers from Secunia for the first week following the removal of the program’s “beta” tag, you need to scan your PC for out-of-date apps right away. Secunia PSI Partner Manager Mikkel Locke Winther reports that of the 20,000 new system scans conducted in the first seven days of PSI’s official release, only 1.91% had no insecure programs, and a whopping 45.76% had 11 or more insecure programs installed.

For a complete rundown of the early PSI scan results, check out Jakob Balle’s Dec. 3 blog post.

MS08-067 (958644)
Malware targets recent Windows worm threat

The Microsoft Security Resource Center reports an increase in malware attempting to take advantage of the security breach described in Security Bulletin MS08-067. If you have not already done so, please ensure that you have installed this patch.

There are few reports of problems resulting from this fix, and most of those glitches concern wireless connectivity. In those rare cases, uninstalling and reinstalling the patch, or deactivating your antivirus and firewall programs, appears to remedy the problems.

Support desks are seeing an increased number of calls from people infected by this malware. Quite honestly, there’s no excuse for not patching this hole. After an easy install and a quick reboot, you’re protected.

Vista Service Pack 2 beta goes public

If you’re the type who enjoys paper cuts, tight-fitting shoes, and tax planning, you’ll want to know about the public beta of Service Pack 2 for Windows Vista and Windows Server 2008. You can now visit this page to sign up for Microsoft’s Customer Preview Program (CPP) and volunteer as a Vista SP2 tester.

According to a post on the Windows Vista blog by Windows Product Management VP Mike Nash, the CPP is intended for “technology enthusiasts, developers, and IT pros” who want to test the service pack on their networks. Nash recommends that “most customers” wait to install the final release of the service pack.

I’ll go even further: most Vista users should wait until several weeks after the service pack’s final release to install it. That way, you can let the early adopters work through all the service pack’s inevitable glitches and incompatibilities.

You know what they say: you can tell the pioneers because they’re the ones with the arrows sticking out of their backs.

Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.
= Paid content

All Windows Secrets articles posted on 2008-12-04:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.