In association with heise online

Last details

Our offline update installs only Windows updates classified by Microsoft as being security-related. An accompanying analysis using Microsoft's Baseline Security Analyzer ([ MBSA]) should confirm that no important patches are missing. In Windows 2000, the script could potentially have missed an update for Microsoft's outdated Java VM (KB816096) that has not been serviced for some time now. Despite all of our attempts, this update cannot be cleanly installed via script. Anyone interested in secure Java applets is advised to switch to the current Java 5 from Sun. For similar reasons, when working with Windows 2000 the script skips over update 832483 for Microsoft Data Access Components (MDAC).

The Malicious Software Removal Tool is omitted by the script. Strictly speaking, it is not so much a security update as a bug fighter that recognises only a low number of current samples. A real virus scanner with fresh signatures produces significantly better results.

If, having finished the offline update, you then visit the Windows Update website, it will suggest the aforementioned patches as well as a handful of other updates for installation. At the time this article was written, that amounted to eight items for Windows XP. These packets do not close holes that could be exploited by attackers, but rather resolve smaller Windows problems or are add-in optional components like the controversial WGA notification.

The offline update draws its information from the same Microsoft catalogue file as used by MBSA, which is why both produce the same positive result. Interestingly, those packets missing from the online update are not listed in MSBA's XML catalogue at all. Anyone looking to install those updates offline can enter them in as a static packet (see below for more details).

How it works

When applying the updates, the script uses the same Windows Update Agent that is used with the normal online update. Microsoft upgraded this agent in mid-2005 to conform with the WSUS update server and also arranged for it to have a COM interface through which it can receive script errors. [3]

The update agent draws its information from the archive whose current version is made available for download by Microsoft at a static URL [4]. The Microsoft Baseline Security Analyzer (MBSA) also loads that file to determine whether or not the system is completely patched.

The archive contains a catalogue file called package.xml in which Microsoft indexes all security updates (and their dependencies) for all operating systems. The download URLs for all updates are also found there, allowing for direct downloading of the individual items from the Microsoft servers.

The download script that creates the installation media does not inspect the patch status of the PC that has executed it. It uses XSLT (XML Stylesheet Language for Transformations) to fish out the relevant URLs for a specific operating system. It provides Microsoft's XSLT processor with predefined style sheets located in the xslt folder of our script collection. This produces URL lists that are passed to wget, a program that then downloads all of the files. While Microsoft's XML catalogue indexes significantly more updates than are required to bring a freshly installed instance of Windows up to date, our solution accounts for the additional space requirements on the installation media.

Some packets that the installation script is supposed to install, including the current service packs, are not listed in the XML catalogue at all. The download script therefore processes additional text files in the static directory that contain additional URLs. If everything is properly aligned, the script instructs mkisofs to pack the content of the client subfolder into the ISO images.

For later installation onto the target PC, the VB script ListMissingUpdateIds.vbs requests the list of missing packets from the update agents. It draws the catalogue files required for this from the installation media that was created ahead of time. The installation script then installs those updates listed by the agent as missing - another benefit compared with the older version of the offline update, which couldn't check what was already on hand.

Unfortunately, not all update packets obey the same command line switches; this problem is resolved with the compiled AutoIt script RetryingUpdateInstaller.exe: it first attempts to install the packets with the parameters /q /z (no return report, no reboot), which works for almost all of the current packets. If that fails, the script then makes a new attempt with the /Q parameter, which works with older update packets.

Command line

The two programs, DownloadStarterGUI and UpdateStarterGUI, are implemented in the AutoIt scripting language (see They serve solely as a user interface for the batch scripts DownloadUpdatesAndCreateISOImage.cmd and DoUpdate.cmd, located in the subfolders cmd and client\cmd.

The Windows Task Scheduler allows for regularly scheduled execution of the download batch script, thereby assuring a perpetually fresh on-hand version of the update packet and ISO files created by the script. If you set the download to run every night, you will also be among the first to receive updates released by Microsoft outside of the standard Patch Tuesday schedule.

The download script understands the following command line switches for use with the Task Scheduler:

{w2k | w2k3 | wxp} {deu | enu}
[/scheduled] [/skipiso] [/proxy http://server:port]

The parameters "wxp enu" instruct the script to download only updates for an English version of Windows XP, for example. /skipiso skips the creation of the image files.

If you set up the Task Scheduler also to retrieve current updates for Windows 2000, you must have administrator rights the first time you call up the download script, since the network installer for Internet Explorer 6 cannot work remotely if the Task Scheduler calls up the script. Include the /scheduled parameter in the configuration so that the script does not make a fresh attempt to download the browser.

The installation of the update can also be initiated on the target PC using the command line:

DoUpdate.cmd [/all] [/autoreboot] [/showlog]

The /autoreboot parameter activates the automated reboot function; /showlog opens the log file in Notepad following the conclusion of installation. The [/all] switch, not available in the GUI, forces new installation of all updates, even if they are already installed on the target PC.

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit