May 032014

Internet Explorer logoAs I have… well, “reported” in my feverish delirium on the 08th of April, support for Windows XP and Windows XP Professional x64 Edition has ended on that very day. So how is it exactly, that I can now look at this:

Microsoft patching an IE security flaw for Windows XP x64 SP2

Microsoft patching an IE security flaw for Windows XP x64 SP2 as reported [here] and on several other sites despite official support having ended on 2014-04-08.

So what’s it gonna be, Microsoft? We now get the “super critical” ones, or the ones that get that [very special kind of media attention] – it’s not every day that the U.S. department of homeland security tells XP users to switch browsers after all – and the others you drop because official support has ended? Sure, this flaw is critical, allowing easy remote code execution by presenting malicious websites to any version of Internet Explorer, all the way down to IE6, which by todays standards is a completely neolithic browser. And even IE6 on XP gets the update, which is hilarious even for a die hard conservative Windows user like me.

Well, Microsofts Trustworthy Computing TechNet blogger, Mr. Dustin C. Childs [wrote on his weblog], that we shouldn’t be expecting more. Quote:

“[…] We have made the decision to issue a security update for Windows XP users. Windows XP is no longer supported by Microsoft,and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11. […]”

-Dustin C. Childs, Microsoft Trustworthy Computing

Of course they would say that… Plugging the worst of holes while not raising any hopes is probably the right strategy from their point of view. It seems that there is still too much XP out there for them to handle by refusal only.

I wonder though, will something like this happen again? Was Windows 2000 not provided with the fix because it’s considered too ancient when compared to XP/XP x64? There is no really reliable standpoint here, so we’ll have to wait and see. More information and downloads follow:

  • [Download] security update for KB2964358 for Windows XP x86 for offline installation.
  • [Download] security update for  KB2964358 for Windows XP Professional x64 Edition for offline installation.
  • Microsoft [KB2964358 knowledgebase article].
  • Microsoft TechNet [Security Bulletin MS14-021] providing more extensive information about the flaw and severity ratings for all browser versions (IE6-11) for all operating systems said to be affected, plus information on how to undo the ACL modifications that were provided as a quick fix before the real patch came out.

Of course, if you have automatic updates turned on, you don’t have to download the files from above, that’s just for the distant future after Microsoft will have switched off Windows Update for XP altogether.

Oh and, as always, there is one thing that you could also do: Just don’t use Internet Explorer. There are enough other options these days.

CC BY-NC-SA 4.0 Miracles do happen? One more update for IE on Windows XP! by The GAT at is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

  6 Responses to “Miracles do happen? One more update for IE on Windows XP!”

  1. Just updated WSUS, but unfortunately no XP x64 updates… :-(

    There are a few security updates for 2003 x64:
    Security Update for Windows Server 2003 x64 Edition (KB2926765) 2926765
    Security Update for Microsoft .NET Framework 4 on Windows Server 2003, Vista, Windows 7, Server 2008, Server 2008 R2 x64 (KB2931365) 2931365
    Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2003 for x64-based Systems (KB2932079) 2932079
    Security Update for Internet Explorer 6 for Windows Server 2003 x64 Edition (KB2953522) 2953522
    Security Update for Internet Explorer 7 for Windows Server 2003 x64 Edition (KB2953522) 2953522
    Security Update for Internet Explorer 8 for Windows Server 2003 x64 Edition (KB2953522) 2953522
    There are no ‘normal’ updates for Server 2003 this month.

    I can’t yet get KB2926765 to work, but the file that needs to be updated is there on a regular XP x64 installation.
    The IE update does work, and will test the .net updates when I’m at work, where most computers have .net installed.

    • Thanks a lot for the detailed KB list, awesome!

      I have just tried them out and can now confirm the .Net 2.0 SP (KB2932079), .Net 4.0 (KB2931365) and IE8 (KB2953522) updates to work. I ran into problems with KB2926765 too however. I unpacked it and found the error to originate from update/update.exe. It doesn’t seem to be linked to the bundled .inf files, as they show matching kernel version and build numbers.

      I’ll look into it, maybe I can find a solution, or maybe you can. I am reluctant to just copy the DLL files over the old versions manually, as I consider this very, very dirty work. We’ll see.

      Thanks for your report in any case, good work!

      Edit: I checked the update.exe file with a hex editor, and found the following checks:

      • Major kernel version (5, match)
      • Minor kernel version (2, match)
      • Service Pack version (2, match)
      • Build number (3790, match)
      • Language (English, match)
      • Machine type (x86, x64 or IA64. x64 is a match)
      • Do we have administrative privileges? (Yes)
      • Are we on Windows 2003 Datacenter Server, which is unsupported by this update? (No)

      So, no luck so far. Will keep looking.

      • Just extract the update and copy the shlwapi.dll to system32 and the other shlwapi.dll to the syswow64 directory. ;-) look at the ‘more information’ header. It says something about an installed update, which is not available for 2003. But the security update works without problems on my virtual 2003 r2 “server”.

        The list is from WSUS, by the way.

        • Yeah, I’d like to avoid that, just copying the DLLs over. If possible I’d like to use Windows’ own (de)installation capabilities and I’d like the update to be registered properly on the system. So I’ll keep looking for ways to pull this off properly.

          According to the security bulletin MS14-027, the vulnerability requires a locally authenticated user to be able to pull off the privilege escalation fixed in KB2926765. This is a scenario highly unlikely in my case, so I don’t feel an urgent need to fix it ASAP. I’ll look for some ways to get it installed cleanly.

          If impossible, I’ll go the manual route.

          Oh, will you keep track of all Server 2003 x64 updates in the future and keep trying to apply them to XP x64?

          Because if yes, it would be nice to publish that somewhere, this is really helpful information for people who are not running their own WSUS servers!

        • I’m starting to close in on this. I attempted to modify update_SP2QFE.inf to change the prerequisites!



          Replace with:


          This will fail when launching update.exe however, as the *.inf files are protected by digital signatures in KB2926765.CAT. So we need to modify a function called IsInfFileTrusted in update.exe to enable it to work with modified INF files. This can only be done on a binary level, and I tried to work with the IDA disassembler like shown for the 32-Bit update.exe [here], but I’m just out of my league there. I cannot port this to x86_64 myself!

        • Ok, I got it! I will write a new post about it, and link it here. It’s gonna take another 1-3 hours or so!

          Edit: And [heeere we go]! All nice and clean. :) Now we can say hello to another year of XP x64 quasi-support! :)

          Edit 2: So, here is my first attempt at proper redistribution. It’s in a ZIP file, because WordPress won’t allow .exe, so yeah, here you go: [KB2926765]. It’s based on a WinRAR SFX archive and contains some additional information such as the Windows XP x64 EULA and a link to the respective security bulletin at Microsofts’. It’s ok if you don’t trust this file though, the guide to build your own hacked version is there anyway. :)

          Edit 3: I have decided to bring up a proper distribution system. A Windows Server 2003 has been set up as an update notification machine, and [here is the distribution site]. New updates will be checked for compatibility in a dedicated XP x64 VM and then on my physical host, after which they will be published on that site or discarded if not applicable on XP x64. I guess it’s time to resist planned obsolescence again, eh?

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre lang="" line="" escaped="" cssfile="">