Extended support for Vista SP2 ended on 11-Apr-2017, but Microsoft has taken the unusual step of releasing out-of-band security updates in June 2017 to patch vulnerabilities for three additional NSA-leaked exploits (EnglishmanDentist, EsteemAudit
and ExplodingCan) for older operating system like Win XP and Vista.
See Woody Leonhard's 13-Jun-2017 Computerworld article There's a reason Microsoft
is patching Windows XP again this month as well as the June 2017 blog entry on the Microsoft Security Response Center subtitled
Microsoft releases additional updates for older platforms to protect against potential nation-state activity for additional
information.
The five new security updates for Vista SP2 are listed in Tables 2 and 3 of the
Microsoft Security Advisory 4025685: Guidance for Older Platforms: June 13, 2017. These
updates were not delivered via Windows Update and must be installed manually using .msu offline installers.
Download links are included in Advisory 4025685 and installers were also posted on the Microsoft Update Catalog in June 2017 at the following links:
KB4018271 (Cumulative Security Update for Internet Explorer 9: May 9, 2017)
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4018271 Vista
KB4018466 (Security Update for the Windows SMB Information Disclosure Vulnerability: May 9, 2017)
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4018466 Vista
KB4021903 (LNK Remote Code Execution Vulnerability: June 13, 2017)
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4021903 Vista
KB4024402 (Windows Search Vulnerabilities: June 13, 2017)
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4024402 Vista
KB4019204 (Security Update for the Windows Win32k Information Disclosure Vulnerability: May 9, 2017)
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4019204 Vista
Install these security updates as follows:
- Disable automatic Windows Updates [Windows Update | Change settings | Important updates | Never check for updates (not recommended)] and re-boot to terminate any Windows Update session currently running in the background.
- Download the offline .msu installers and save them to your Windows desktop. Use the Vista x86 installer if you have a 32-bit OS; use the Vista x64 installer if you have a 64-bit OS.
- Double-click each .msu file on your desktop to start the installation and restart your computer when prompted after the installer is finished.
Once all missing updates are installed you can reset your automatic Windows Updates back to your preferred setting.
____________________________________________
All Vista SP2 computers that were fully patched as of 11-Apr-2017 should have received the earlier updates listed in Table 1 of the advisory. This includes security update
KB4012598 (MS17-010: Security Update for Microsoft Windows SMB Server, March 14, 2017) to protect against the
EternalBlue exploit used in the recent Shadow Broker WannaCry / WannaCrypt ransomware attacks.
To confirm that KB975517 (rel. Oct 2009), KB2347290 (rel. Sep 2010) and KB4012598 (rel. Mar 2017) were installed by Windows Update go to Control Panel | Programs | Programs and Features |
View Installed Updates and search for the full KB number in the search box (e.g., "KB4012598" and not a partial string like "4012598").
If you are missing any of these older updates, please note that many Vista SP2 users are currently affected by a problem where the initial
"Checking for updates..." phase of Windows Update can hang for several hours (or even days) while the Windows Update Agent searches for available updates. See the instructions posted on page 1 of m#l's thread
Updates not working, it
has been searching for updates for hours for a possible workaround that should help speed up Windows Update and ensure that all security updates released as of 11-Apr-2017 are also installed on your system.
------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.2.0 * NS v22.9.4.8 * MB Premium v3.1.2
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS