none
how to install patches by using files with .cab extension

    Question

  • Hi Team,

                  I was using MBSA 2.1 to isntall patches in servers(window server 2003). From the MBSA report, i used to download security patch(.exe) files. Now i tried to run the same MBSA version in Windows server 2008 R2. Here from the MBSA report, when I am trying to download the patches its downloading .cab files not .exe. How to install these patches by using the cab files, I can't install these files just by executing these .cab files. Please help.

    Thursday, July 14, 2011 9:35 AM

Answers

  • Although PKGMGR (Package Manager) for Vista/Server 2008 and its renamed version (DISM) in Windows 7/Server 2008 R2 might be the best way to execute the CAB, there are risks that make this approach unsupported and less desirable.

    MBSA Download Link

    When MBSA was originally designed, updates were single EXEs that installed as a single update. This allowed earlier versions of MBSA to provide a helpful 'Download' link for each missing update MBSA found that was needed on a machine. Over time, updates released by Microsoft have become far more complex - often including multiple bundled updates. For example, a .Net Framework update may include a MSI database cleanup tool, an XML parser fix in addition to the actual .Net Framework update. There may even be a prerequisite update within the bundle that needed to be installed before the subsequent payloads would even successfully install. This means that instead of the 'old days' where there was a single EXE for each update, the new standard is multiple updates 'bundled' within a single parent update.

    CBS and CAB Files

    Beginning with the release of Windows Vista, Windows updates are now .CBS packages that are intended to be installed through automatic means. They can be installed manually using PKGMGR (Vista) or DISM (Windows 7). These .CBS packages are wrapped into a CAB format for transportability and security (each contains a MSFT digital signature). But because MBSA only reports on the first CAB (formerly EXEs) within a bundle, even installing the named CAB reported by MBSA 2.1 isn't sufficient to ensure the comprehensive set of updates needed on the PC are installed.

    Since the well intentioned MBSA feature to provide a Download link can only point to a single package within a bundle (and it may not even be the most important item within the bundle), MBSA 2.2 removed the download link altogether.  Tis was to alleviate the confusion and issues that stemmed from users attempting to use the download link as the authoritative source for the single update needed to resolve the named vulnerability.

    For these reasons, you should no longer use the Download link content to install the needed security update (an upgrade to MBSA 2.2 will correct a few bugs and remove this problem-prone download link). Similarly, even if you successfully use PKGMGR or DISM to install the needed update wrapped into a CAB file, it may only satisfy part of the needed vulnerability and not the entire MBSA-reported security update.

    I hope that helps.


    Doug Neal - Microsoft Update and MBSA
    Friday, July 15, 2011 7:56 PM

All replies

  • Friday, July 15, 2011 9:19 AM
  • Although PKGMGR (Package Manager) for Vista/Server 2008 and its renamed version (DISM) in Windows 7/Server 2008 R2 might be the best way to execute the CAB, there are risks that make this approach unsupported and less desirable.

    MBSA Download Link

    When MBSA was originally designed, updates were single EXEs that installed as a single update. This allowed earlier versions of MBSA to provide a helpful 'Download' link for each missing update MBSA found that was needed on a machine. Over time, updates released by Microsoft have become far more complex - often including multiple bundled updates. For example, a .Net Framework update may include a MSI database cleanup tool, an XML parser fix in addition to the actual .Net Framework update. There may even be a prerequisite update within the bundle that needed to be installed before the subsequent payloads would even successfully install. This means that instead of the 'old days' where there was a single EXE for each update, the new standard is multiple updates 'bundled' within a single parent update.

    CBS and CAB Files

    Beginning with the release of Windows Vista, Windows updates are now .CBS packages that are intended to be installed through automatic means. They can be installed manually using PKGMGR (Vista) or DISM (Windows 7). These .CBS packages are wrapped into a CAB format for transportability and security (each contains a MSFT digital signature). But because MBSA only reports on the first CAB (formerly EXEs) within a bundle, even installing the named CAB reported by MBSA 2.1 isn't sufficient to ensure the comprehensive set of updates needed on the PC are installed.

    Since the well intentioned MBSA feature to provide a Download link can only point to a single package within a bundle (and it may not even be the most important item within the bundle), MBSA 2.2 removed the download link altogether.  Tis was to alleviate the confusion and issues that stemmed from users attempting to use the download link as the authoritative source for the single update needed to resolve the named vulnerability.

    For these reasons, you should no longer use the Download link content to install the needed security update (an upgrade to MBSA 2.2 will correct a few bugs and remove this problem-prone download link). Similarly, even if you successfully use PKGMGR or DISM to install the needed update wrapped into a CAB file, it may only satisfy part of the needed vulnerability and not the entire MBSA-reported security update.

    I hope that helps.


    Doug Neal - Microsoft Update and MBSA
    Friday, July 15, 2011 7:56 PM
  • Doug,

    I've been using MBSA 2.2 to develop the list of required updates for my Internetless XP Pro and Server 2003 R2 systems, downloading them from the MS Update Catalog and installing them via a .cmd file.  The switch is either "/Q" or "/passive /norestart" depending on the update.  I have no Vista/Windows 7 systems yet so I'm not using PKGMGR or DISM, just msiexec I assume.

    Are you saying that even though MBSA 2.2 then shows the updates as having been installed (successfully) that may not be the case?  Or will MBSA only report the fully mitigated vulnerability as a successful install?

    If PKGMGR or DISM can't be depended on for full mitigation, how are we supposed to keep the Vista or Windows 7 Internetless systems updated?

    Jim

    Tuesday, July 19, 2011 5:19 PM
  • Thanks you for sharing your question Jim.

    To clarify: MBSA is authoritative. If MBSA indicates the update is installed, it's installed. If it indicates an update is missing, the update or some portion of the update is missing and needs to be installed. So, yes - MBSA will only report that the update is installed if the fully mitigated vulnerability is successfully installed.

    Also - Using PKGMGR/DISM in Vista/Win7 systems to install an update retrieved from the Download Center or any other Microsoft.com site will install all bundled updates. Of course, for connected systems, it's much easier to simply use Microsoft Update.

    The shortcoming is in MBSA version 2.1 and earlier where MBSA provides a download link. For Vista/Win7 systems, this download link may point to only a single item with a CAB, bot always the complete CAB containing all needed updates. For this reason, MBSA 2.2 was released to remove the download link for missing updates. This alleviates customer confusion by providing a download link that, once installed, often didn't cause MBSA to indicate the update was fully installed (because only a portion of the update was referenced in the Download link).

    I hope that helps...

     


    Doug Neal - Microsoft Update and MBSA
    Tuesday, July 19, 2011 7:12 PM
  • Jeff,

    Yes it does!  Having Accredited systems with ambiguous patch states is nothing trivial, so having an authoritative validation is huge.

    I use the KBs listed as missing by MBSA 2.2 to create my MS Update Catalog "shopping list".

    Clean installs of XP Pro SP3 and Windows Server 2003 R2 both require over 100 patches to bring them to currency now.  That doesn't include the updates to the MS Installer and Windows Update Agent, MSXML, Jet, etc.

    That you folks can manage to weed through all of the interrelated files, registry entries, duplicate name/differing version files and come out with an authoritative assessment is a credit to your abilities and hard work.

    And we thank you for it!

    Jim

    Tuesday, July 19, 2011 7:47 PM
  • "JimInTucson" wrote in message news:17fbc522-756a-4d57-b87a-99f6b40a3e2f...

    Jeff,

    Yes it does!  Having Accredited systems with ambiguous patch states is nothing trivial, so having an authoritative validation is huge.

    I use the KBs listed as missing by MBSA 2.2 to create my MS Update Catalog "shopping list".

    Clean installs of XP Pro SP3 and Windows Server 2003 R2 both require over 100 patches to bring them to currency now.  That doesn't include the updates to the MS Installer and Windows Update Agent, MSXML, Jet, etc.

    That you folks can manage to weed through all of the interrelated files, registry entries, duplicate name/differing version files and come out with an authoritative assessment is a credit to your abilities and hard work.

    And we thank you for it!

    Jim


    Heh!
    I just had to do a factory restore on a Win7 Home Premium system - the first round of updates (Windows only) was 99.....
    The second round is 43 ...
    eventually I'll get down to the latest .NET updates, when the system will probably barf, and I'll have to start again :)
     

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Tuesday, July 19, 2011 8:05 PM
  • The joy of building the batch file for the first round of updates is beyond description :-(

    a. Create patch.txt in the root of your update folder

    b. Shorten the downloaded MS update folder names to just KBxxxx

    c. browse to the top folder; extract the .cab contents if present; copy the .exe or .msp filename

    d. paste it onto the folder name after adding a \

    e. copy the \kbxxxx\updatename.xxx and paste it into the patch.txt (don't forget the . before pasting...); repeat for the other component patches in that update folder if applicable (.NET, anyone?)

    f. add either /Q or /passive /norestart to the entry depending on the installer type. 

    g. save the file

    h. go to the next folder

    repeat c. through h. 98 more times

    Check for typos (missing \ or . in particular), then add a pause at the end, save and rename to patch.cmd

    Pick your victim (test box, NOT production box!!!!!) and run the patch.cmd

    Run MBSA 2.2 against the system, note the KB's listed and repeat a.-h. until no more updates are required.

    Your system is now current...until next Patch Tuesday comes around :-)

    Oh, Happy Happy Joy Joy!!!!

     

     

    Tuesday, July 19, 2011 9:01 PM
  • "JimInTucson" wrote in message news:40330e38-2a32-48dc-97f2-384309524ef1...

     

    Oh, Happy Happy Joy Joy!!!!

     

     


    You've been watching too much Soylent Green :)

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Tuesday, July 19, 2011 10:43 PM
  • I have a question:

     

    I installed Office 2007 Ent version and the patch --office SR2 on my PC --Windows 7 pro 64 bit but it kept telling me I missed all office patches which was installed and shown in add/remove program.

     

    Can anyone help with this?

    Tuesday, September 20, 2011 3:00 PM
  • It's unclear how you installed the update and whether you installed every update for every Office 2007 component (Word, PowerPoint, Project, etc.).  If MBSA still says you need an update, then you still need an update.

    Since the updates distributed by Windows and Microsoft Update may include multiple updates within a single update to fully and comprehensively install the needed update, you may want to simply allow Windows Update to scan for the needed updates, and download and install them.

    Until MBSA says you no longer need an updated, you're not fully patched for all needed security issues.

    I hope that helps.


    Doug Neal - Microsoft Update and MBSA
    Tuesday, September 20, 2011 3:22 PM
  • I downloaded office SR2 and then manually installed it.

     

    I ran windows update but no any office update was shown up. I think MBSA is malfuntion. I totally uninstalled office 2k7 and MBSA. I will try to reinstall both to see whether it can resolve the problem.


    • Edited by mag8990 Tuesday, September 20, 2011 3:26 PM
    Tuesday, September 20, 2011 3:25 PM
  • It didn't work, still show 22 office patches missed but it shown office suite SP2 installed.

     

    These missing patches viewer 2007. office access 2007......

    But I just could not see any office patch listed when runa windows update. It is frustrating.

    Tuesday, September 20, 2011 4:09 PM
  • It sounds like you're using Windows Update, not Microsoft Update.  If you're on Windows XP, try startign Windows Update, then OPT INTO the Microsoft Update service to get updates for products installed after Windows was installed.

    If you're on Vista or Windows 7, open the Windows Update applet in Control Panel and look under the item that shows 'Your receive update:' and be sure it includes "For WIndows and other products from Microsoft Update."

    MBSA is rarely wrong - especially when it reports the need for an Office security update.


    Doug Neal - Microsoft Update and MBSA
    Tuesday, September 20, 2011 4:18 PM
  • can you send the .cmd file? this is so painful for people with standalone machines...

    the days are long...

    Wednesday, September 19, 2012 1:52 PM
  • woah...nevermind...lol

    the days are long...

    Wednesday, September 19, 2012 1:52 PM
  • People using standalone machine usually have no need of MBSA.

    You should use Windows Update.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Wednesday, September 19, 2012 7:55 PM