Detection and Deployment strategies
Environments that detect and deploy security updates by using the public Windows Update Web site and the Office Update Web site
If you detect and deploy security updates by using the
public Windows Update Web site and the Office Update Web site, you can detect and deploy most of the February 8, 2005, releases. The
exception is part of MS05-009.
- Windows Update does not update the MSN Messenger 6.1 and
6.2 products that are listed in MS05-009. To download the update, visit the following MSN Messenger Web site:
- Use the Enterprise Scan Tool (EST) to
scan systems that are running MSN Messenger to see if they are vulnerable. In smaller
environments, it is easiest to visit the few computers that may need
updates, verify the versions of these products, and then update the products from
the Download Center links that are available in the bulletin.
Environments that detect security updates using MBSA
If you use MBSA to detect security updates, you can detect most of the February 8, 2005, releases. The
exceptions are MS05-004, part of MS05-006, and part of MS05-009.
- You can use EST to detect MS05-004.
- The EST or Software Update Services (SUS) detects the
Windows SharePoint Services product that is listed in MS05-006. The Windows SharePoint Team
Services product that is listed in MS05-006 is only detected by using a local scan from the
Office Detection Tool (ODT) that is integrated into MBSA.
- The EST detects all the affected products that are listed in MS05-009.
MBSA detects only the Media Player 9 product.
Environments that detect and deploy security updates by using Software Update Services
If you use Software Update Services to detect and deploy security updates, you can detect most of the February 8, 2005, releases. The exceptions are MS05-005 and part of MS05-006.
- SUS does not detect or deploy any part of MS05-005.
MBSA will detect MS05-005 in part. For details, see the MBSA section.
To deploy MS05-005, visit the Office Update Web site
or use a more robust deployment tool such as SMS.
- With MS05-006, MBSA does detect if the
update for this vulnerability is required for Windows SharePoint Team Services. MBSA
does this by using the Office Detection Tool and is therefore limited to local
scans. Additionally, MBSA does not currently support the detection of Windows
SharePoint Services. However, an Enterprise Scan Tool has been
developed to help determine whether the Windows SharePoint Services security update
is required.
- You will have to use MBSA to detect the Windows SharePoint Team
Services product that is part of MS05-006. To deploy MS05-006, visit
the Office Update Web site or use a more robust deployment tool such as SMS.
Environments that detect and deploy security updates by using SMS with the Software Update Services Feature Pack
If you use SMS to detect and deploy security updates, you can detect the February 8, 2005, releases. To download the EST packages that are specific to detection and deployment by using SMS, visit the following Web site:
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
894154
How to obtain and use the February 2005 Security Update Scan Tool in environments that use Systems Management Server 2003 and Systems Management Server 2.0
Detection and deployment matrix
| Office Update | Windows Update or Automatic Update | MBSA and ODT | SUS | Stand-alone EST | SMS with SUS Feature Pack |
| Bulletin | Detect and Deploy | Detect and
Deploy | Detection only | Detect and Deploy | Detection
only | Detect and Deploy |
| MS05-004 | N/A | Yes | No | Yes
| Yes | Yes - complete detection and deployment with the SMS
specific EST package |
| MS05-005 | Yes | N/A | Yes | N/A
| N/A | Yes |
| MS05-006 | Only updates Windows SharePoint Team Services
| Only updates Windows SharePoint Services | Only detects Windows
SharePoint Team Services by using a local scan | Only updates Windows
SharePoint Services | Only detects Windows SharePoint Services
| Yes complete detection and deployment with the SMS specific EST
package |
| MS05-007 | N/A | Yes | Yes | Yes
| N/A | Yes |
| MS05-008 | N/A | Yes | Yes | Yes
| N/A | Yes |
| MS05-009 | N/A | Only updates Media Player 9 and
Windows Messenger | Only detects Media Player 9 | Only updates Media Player 9 and
Windows Messenger | Yes | Yes complete detection and deployment with the SMS
specific EST package |
| MS05-010 | N/A | Yes | Yes | Yes
| N/A | Yes |
| MS05-011 | N/A | Yes | Yes | Yes
| N/A | Yes |
| MS05-012 | N/A | Yes | Yes | Yes
| N/A | Yes |
| MS05-013 | N/A | Yes | Yes | Yes
| N/A | Yes |
| MS05-014 | N/A | Yes | Yes | Yes
| N/A | Yes |
| MS05-015 | N/A | Yes | Yes | Yes
| N/A | Yes |
Note This detection and deployment guidance applies to Windows NT 4.0
and Windows NT 4.0 Terminal Server Edition only in the context of MS05-010.
Frequently asked questions
Q1: What is Microsoft doing to provide me guidance on how to deploy these updates?A1: Microsoft encourages system administrators to join the
monthly technical webcast to learn more about the February security updates. This webcast will occur on
February 9, 2005, at 11:00 A.M. Pacific Time. Because of the complex deployment
scenarios of this month's release, the technical webcast will be extended to
two hours. To register, visit the following Web site:
There
is an additional PSS webcast on February 16, 2005, to provide additional deployment support to systems administrators. To register, visit the following Web site:
This month, Microsoft
is also providing an additional resource to help in the deployment of
security updates in the form of the Enterprise Scan Tool. The Enterprise
Scan Tool is a supplement to the Microsoft Baseline Security Analyzer. The Enterprise Scan Tool helps detect vulnerable computers when MBSA cannot do this.
Q2: Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine whether the updates are required?A2: You can use the Microsoft Baseline Security Analyzer to
detect the following security updates released this month:
Note With MS05-006, MBSA does detect if the
update for this vulnerability is required for Windows SharePoint Team Services. MBSA
does this by using the Office Detection Tool and is therefore limited to local
scans. Additionally, MBSA does not currently support the detection of Windows
SharePoint Services. However, an Enterprise Scan Tool has been
developed to help determine whether the Windows SharePoint Services security update
is required.
For additional information bout the programs that MBSA currently detect, click the following article number to view the article in the Microsoft Knowledge Base:
306460
Microsoft Baseline Security Analyzer (MBSA) returns note messages for some updates
If you have installed
any one of the programs that are listed in the Affected Software section of the
security bulletin, you may have to manually determine whether you have to
install the required update. For more information about MBSA, visit the
following Web site:
Note With MS05-014, this release
includes an update for Internet Explorer 6 Service Pack 1 designed for Windows
2000 and Windows XP Service Pack 1. If you are still managing Windows NT 4.0
systems in your enterprise, and you are using MBSA, a software update scan will
show this update as applicable on Windows NT 4.0 systems. However, this update is intended only for the supported operating systems mentioned in the
Affected Software section of the security bulletin.
Q3: For which security bulletins will I have to use the Enterprise Scan Tool with MBSA to identify vulnerable systems on my network?A3: You will have to use the Enterprise Scan Tool with MBSA for the following security bulletins:
Q4: Can I use Systems Management Server (SMS) to determine whether the updates are required?A4: Yes. SMS can help detect and deploy these security
updates.
Note SMS uses MBSA for detection. Therefore, SMS has the same
limitations related to programs that MBSA does not detect. For information
about SMS, visit the following Web site:
You must use the Security Update Inventory Tool to detect Microsoft Windows and other affected Microsoft products. For more
information about the limitations of the Security Update Inventory Tool, see
the following Microsoft Knowledge Base article.
306460 Microsoft Baseline Security Analyzer (MBSA) returns note messages for some updates
SMS can also use the
Microsoft Office Inventory Tool to detect for required updates for Microsoft
Office applications such as Windows SharePoint Team Services.
Q5: On which bulletins will I have to use the Enterprise Scan Tool with SMS to identify vulnerable systems on my network?A5: You will have to use the Enterprise Scan Tool should be used in
combination with SMS for the following security bulletins:
Q6: I am trying to install MS05-004. Is there an additional tool that can help me determine vulnerable systems?A6: Yes. As part of an ongoing commitment to provide
detection capability for each bulletin release, a stand-alone detection tool
has been made available for the ASP.NET security update. This tool is available from the Microsoft
Download Center by searching on the following keywords: enterprise, scan tool, and the
bulletin ID. There is also a version of this tool that SMS customers can download. To download this tool, SMS customers can visit the following Web site:
Q7: I am trying to install MS05-006. Is there an additional tool to help me determine vulnerable systems?A7: Yes. As part of an ongoing commitment to provide
detection capability for each bulletin release, a stand-alone detection tool
has been made available for the Windows SharePoint Services security update. This tool is available from
the Microsoft Download Center by searching on the following keywords: enterprise, scan
tool, and the bulletin ID. To download this tool, SMS customers can visit the following Web site:
Q8: I am trying to install MS05-009. Is there an additional tool to help me determine vulnerable systems?A8: Yes. As part of an ongoing commitment to provide
detection capability for each bulletin release, a stand-alone detection tool
has been made available for all the affected products that are listed in the MS05-009
security bulletin. This tool is available from the Microsoft Download Center by
searching on the following keywords: enterprise, scan tool, and the bulletin ID. To download this tool, SMS customers can visit the following Web site:
Q9: I have received a hotfix from Microsoft or my support provider since the release of MS04-004. Is that hotfix included in MS05-014?A9: Yes. When you install this security update, the
installer checks to see if one or more of the files that are being updated on
your system have previously been updated by a Microsoft hotfix. If you have
previously installed a hotfix to update an affected file, the installer copies
the files that contain the hotfix to your system. Otherwise, the installer copies
the files without the hotfix to your system.
Q10: The command line installation switches with MS05-014 are different for Windows 2000 and Windows XP operating systems than MS04-025. Why is that?A10: Starting with
MS04-038, the
packages that are downloaded from the Web for Windows 2000 and Windows XP Service Pack 1
use a new installation technology, Update.exe. Therefore, the installation
options are different from previous releases. Also, as part of the change to
the Update.exe installation technology, the Knowledge Base Article number of
this update will no longer be displayed in the About Internet Explorer dialog
box in Internet Explorer. For more information about the command line switches
that are that are available for this release, see the "Security Update
Information" section of the security bulletin. If you automatically downloaded
this package as a function of the SMS SUS Feature Pack, the command line
parameters are based on the SMS Installer package and are different from the
Web download version.
Q11: Are there any other special considerations that I should consider when I deploy MS05-014?A11: This update does include hotfixes that have been
released since the release of
MS04-004 and
MS04-025. However, they are installed only on systems that need them. Customers who have
received hotfixes from Microsoft or from their support providers since the
release of
MS04-004 or
MS04-025 should
review question nine to determine how to make sure that the appropriate hotfixes are
installed. Microsoft Knowledge Base article
867282 also documents this in more
detail.
Note The update for the
Drag-and-Drop Vulnerability, CAN-2005-0053, comes in two parts. It is
addressed in part in the MS05-014 security bulletin. This security bulletin,
together with security bulletin
MS05-008, makes
up the update for CAN-2005-0053. These updates do not have to be installed in
any particular order. However, we recommend that you install both
updates.